One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 3598623 |
| Date de publication | 2021-11-02 15:00:00 (vue: 2021-11-02 15:05:42) |
| Titre | Anomali Cyber Watch: Russian Intelligence Targets IT Providers, Malspam Abuses Squid Games, Another npm Library Compromise, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Data leak, Critical services, Money laundering, Phishing, Ransomware, and Supply-chain. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
BlackMatter: New Data Exfiltration Tool Used in Attacks
(published: November 1, 2021)
Symantec researchers have discovered a custom data exfiltration tool, dubbed Exmatter, being used by the BlackMatter ransomware group. The same group has also been responsible for the Darkside ransomware - the variant that led to the May 2021 Colonial Pipeline outage. Exmatter is compiled as a .NET executable and obfuscated. This tool is designed to steal sensitive data and upload it to an attacker-controlled server prior to deployment of the ransomware as fast as possible. The speed is achieved via multiple filtering mechanisms: directory exclusion list, filetype whitelist, excluding files under 1,024 bytes, excluding files with certain attributes, and filename string exclusion list. Exmatter is being actively developed as three newer versions were found in the wild.
Analyst Comment: Exmatter exfiltration tool by BlackMatter is following two custom data exfiltration tools linked to the LockBit ransomware operation. Attackers try to narrow down data sources to only those deemed most profitable or business-critical to speed up the whole exfiltration process. It makes it even more crucial for defenders to be prepared to quickly stop any detected exfiltration operation.
MITRE ATT&CK: [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048
Tags: Exmatter, BlackMatter, Darkside, Ransomware, Exfiltration, Data loss prevention
Iran Says Israel, U.S. Likely Behind Cyberattack on Gas Stations
(published: October 31, 2021)
Iranian General Gholamreza Jalali, head of Iran’s passive defense organization, went to state-run television to blame Israel and the U.S. for an October 26, 2021 cyberattack that paralyzed gasoline stations across the country. The attack on the fuel distribution chain in Iran forced the shutdown of a network of filling stations. The incident disabled government-issued electronic cards providing subsidies that tens of millions of Iranians use to purchase fuel at discounted prices. Jalali said the attack bore similarities to cyber strikes on Iran’s rail network and the Shahid Rajaee port. The latest attack displayed a message reading "cyberattack 64411" on gas pumps when people tried to use their subsidy cards. Similarly, in July 2021, attackers targeting Iranian railroad prompted victims to call 64411, the phone number for the office of Supreme Leader Ali Khamenei.
Analyst Comment: Iran has not provided evidence behind the attribution, so |
| Notes | |
| Envoyé | Oui |
| Condensat | squirrelwaffle ‘squid 024 100 2020 2021 64411 abuse abused abuses access according accounts achieved across actively activities activity actor actor's actors added additional additionally additions address administrative administrator administrators advantage affected against agent alert alert: ali all allegedly almost alpha also alternative always amazon america among analysis analyst analyze anomali another anti antivirus any api appear appearance appeared appears apple application applications approach approximately apt29 archived archives are arrest arrested associated att&ck att&ck: attached attachments attack attacker attackers attacks attempting attempts attributed attributes attribution audit august authentication automated autostart avoid awareness azorult azure b2b backup bancos banking based bear been before behind being belarus between bigger blackmatter blackmatter: blame blocklist boot bore brazil bring broader browsers builder business but buy bytes call called campaign campaigns can capabilities capture cards carried case cases certain chain chains change charts check checklists cisco clients clipboard cloud cobalt code colonial come comes comment: communication companies compiled comprehensive compromise compromised computers conditional configuration configurations constant contain containing content continuation continued controlled could countries country cozy cracked credential credentials criminals critical crucial cryptocurrency cryptojacking cryptostealer csp current custom customer customers cyber cyberattack cybercrime cybereason danabot darkside data days decaf deemed defenders defense defenses delegated deliver delivering dell department depend deployed deployment deploys depth describes designed detailed detected detection developed developers developers' development digital directory disabled discord discounted discovered discovery discuss discussed displayed distribute distributing distribution diverse dll document documents dollars don’t down download downloaded downstream dridex drives dubbed due dutch dynamic early east education either electronic email emails emotet enabled encrypted enforce engineering english ensure eset especially europe evade evasion even events every evidence evolve example excel excluding exclusion exe executable executed execution exfiltrate exfiltration existing exmatter exposure extent external facebook facilitate factor fast feature figure file filename files filetype filling filtering finance financial first flash flashy flow following forced foreign formbook found french from ftp fuel fully function functionality functions gain game game’ games gas gasoline general geographic geographical german gholamreza glimpse golang government governments grammar granted group groups hacking hacktivists had hallmarks handle harden harder hardware has hashes have head help high hijack hijacking host how hpe hyperlinks ibm identified impact impair implant implemented important incident include includes including indicator indicators industries industry infected infection information infostealer infostealers infrastructure ingress initial injecting input installed instrumentation instruments intelligence interaction investigation ioc iocs iran iran’s iranian iranians israel issued iteration its jalali javascript joint july just kaspersky kazakhstan key keystroke khamenei kurds label labs landing language large late latest laundered launderers laundering layer leader leak led less leverages leveraging libraries library like likely lines linked linux list loader loading local located location locations lockbit logging logon logs longer loss lures macros magazine mail makes malicious malspam malware managed management manipulation manufacturing many match matiex may mechanisms: message mfa microsoft middle million millions mining mitre modification modify money monitor more morphisec most movies mozilla multi multiple mykolayiv names narrow nation net netflix netflix’s network new newer news nobelium non not november |
| Tags | Ransomware Malware Tool Threat Guideline |
| Stories | APT 29 APT 29 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.