One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 3667130 |
| Date de publication | 2021-11-16 17:34:00 (vue: 2021-11-16 18:13:02) |
| Titre | Anomali Cyber Watch: REvil Affiliates Arrested, Electronics Retail Giant Hit By Ransomware, Robinhood Breach, Zero Day In Palo Alto Security Appliance and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data breach, Data leak, Malspam, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer
(published: November 8, 2021)
US Cybersecurity and Infrastructure Security Agency (CISA) has released an alert about advanced persistent threat (APT) actors exploiting vulnerability in self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus. PaloAlto, Microsoft & Lumen Technologies did a joint effort to track, analyse and mitigate this threat. The attack deployed a webshell and created a registry key for persistence. The actor leveraged leased infrastructure in the US to scan hundreds of organizations and compromised at least nine global organizations across technology, defense, healthcare and education industries.
Analyst Comment: This actor has used some unique techniques in these attacks including: a blockchain based legitimate remote control application, and credential stealing tool which hooks specific functions from the LSASS process. It’s important to make sure your EDR solution is configured to and supports detecting such advanced techniques in order to detect such attacks.
MITRE ATT&CK: [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Credentials in Files - T1081 | [MITRE ATT&CK] Brute Force - T1110 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Hooking - T1179 | [MITRE ATT&CK] Registry Run Keys / Startup Folder - T1060 | [MITRE ATT&CK] Pass the Hash - T1075
Tags: Threat Group 3390, APT27, TG-3390, Emissary Panda, WildFire, NGLite backdoor, Cobalt Strike, Godzilla, PwDump, beacon, ChinaChopper, CVE-2021-40539, Healthcare, Military, North America, China
REvil Affiliates Arrested; DOJ Seizes $6.1M in Ransom
(published: November 9, 2021)
A 22 year old Ukranian national named Yaroslav Vasinskyi, has been charged with conducting ransomware attacks by the U.S Department of Justice (DOJ). These attacks include t |
| Notes | |
| Envoyé | Oui |
| Condensat | $240 $69 €60 “cobalt “cve 000 06464 2018 2021 3064 3064” 310 31886 31887 31888 3390 35211 35211” 40539 able about access according account accounts across actively activities activity actor actors addition additional addresses adselfservice advanced adversaries affecting affects affiliates after against agencies agency ago alert allow allows also alternative although alto always america amount analyse analysis analyst analyze android anomali anti antivirus any apk app appliance appliances application applications apply approximately apt apt27 archive are around arrest arrested arrested; asks att&ck att&ck: attached attachment attachments attack attacker attackers attacks attempts attributed automate available avoided backdoor backup backups bank banking based bazar bazarbackdoor bazarloader beacon because been behavior behind birth blockchain both botnet breach breaches brute business but called campaign can cannot card carefully case cause causing center certain chain channel charged charts check china chinachopper cisa citizens client clop cobalt code codes command commands comment: commonly companies company complete completely component comprehensive compromise compromised computers conduct conducting configuration configured confirming connected consumer contact contain conti continuity control corner corporate could countries crackdown cracked crash created creating credential credentials criminals critical customers customizations cve cyber cyberattack cybereason’s cybersecurity damaging darkside data date dates day debit decryption decryptor defense delete delivered delivers demand denial department deploy deployed deployment desktop despite details detect detecting determine device devices did difficult disable disabled disabling discovered discovery discuss discussed disguises disruption distribute distributes dll dlls documents doj domain don’t down download dubbed dumping dynamic early eavesdropping edr educate education effort efforts electronics elevated email emails emissary employed employees enabled enables encrypt encrypted enforcement engineering equipment eset eurojust europe europe's europol euros even exact execute executed execution exfiltrate exfiltration expensive exploit exploited exploiting exploits exposed extensive external extort extract facilitates facilities facing features figure files fin11 final finance financial firewall firewalls first flaw flawedgrace folder following force forescout forescout's found from full functions furthermore gain gandcrab gang gangs giant gives glimpse global globalprotect godzilla going golddust google government grants group group’s groups gsoc hackers had has hash have havens having healthcare help highly hit hive holds hole holiday home hooking hooks hospital however huge hundreds icedid ida idahelp identified identify images imitates immediately impact impacted implications important incident include including including: increased industries infected infection information infrastructure ingress initial install installed installer instance instead instrumentation intelligence intended internet interpol interpreter involved involves ioc iocs iot ironic it's it’s iteration itg23 its itself james joint just justice kakao kaseya kdcsponge key keys knock known korea korean laptops largest lateral law layer lazarus leak leaks leased least leave legitimate leverage leveraged licensed lighting like likely login logs longer look lookup lot lsass lumen machine macros magazine maintain make making malicious malspam malware manageengine management mandatory many masquerading mass massive may means meantime measures mechanisms mediamarkt medical medigate memoria messages messaging microsoft military million millions minimise mitigate mitigation mitre mobile modified modify money monitor monitoring months more most movement mshta multiple name named names national net network networks nevertheless new news nglite nine nltest north not november nso nucleus nucleus:13 nukesped numbers obfuscated obs |
| Tags | Ransomware Data Breach Malware Tool Vulnerability Threat Medical |
| Stories | APT 38 APT 27 APT 1 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.