One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 3699453 |
| Date de publication | 2021-11-23 20:30:00 (vue: 2021-11-23 21:05:39) |
| Titre | Anomali Cyber Watch: APT, Emotet, Iran, RedCurl and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data breach, Data leak, Malspam, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Emotet malware is back and rebuilding its botnet via TrickBot
(published: November 15, 2021)
After Europol enforcement executed a takeover of the Emotet infrastructure in April 2021 and German law enforcement used this infrastructure to load a module triggering an uninstall of existing Emotet installs, new Emotet installs have been detected via initial infections with TrickBot. These campaigns and infrastructure appear to be rapidly proliferating. Once infected with Emotet, in addition to leveraging the infected device to send malspam, additional malware can be downloaded and installed on the victim device for various purposes, including ransomware. Researchers currently have not seen any spamming activity or any known malicious documents dropping Emotet malware besides from TrickBot. It is possible that Emotet is using Trickbot to rebuild its infrastructure and steal email chains it will use in future spam attacks.
Analyst Comment: Phishing continues to be a preferred method for initial infection by many actors and malware families. End users should be cautious with email attachments and links, and organizations should have robust endpoint protections that are regularly updated.
***For Anomali ThreatStream Customers***
To assist in helping the community, especially with the online shopping season upon us, Anomali Threat Research has made available two, threat actor-focused dashboards: Mummy Spider and Wizard Spider, for Anomali ThreatStream customers. The Dashboards are preconfigured to provide immediate access and visibility into all known Mummy Spider and Wizard Spider indicators of compromise (IOCs) made available through commercial and open-source threat feeds that users manage on ThreatStream.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Automated Collection - T1119
Tags: Emotet, Trickbot, phishing, ransomware
Wind Turbine Giant Offline After Cyber Incident
(published: November 22, 2021)
The internal IT systems for Vestas Wind Systems, the world's largest manufacturer of wind turbines, have been hit by an attack. This attack does not appear to have affected their manufacturing or supply chain, and recovery of affected systems is underway, although a number of systems remain off as a precaution. The company has announced that some data has been compromised. The investigation of this incident is ongoing, but may have been a ransomware attack. The incidents of ransomware across the globe increased by near |
| Envoyé | Oui |
| Condensat | ***for 0146 12812 13379 2018 2019 2020 2021 2r44p1 2r60p93 34473 500 5591 access accessed account acls acquire across active actively activity actor actors addition additional administration administrators advanced affected after agencies agency alert all allow along alongside also although always ameliorate analysis analyst and/or announced anomali another any appear appears application applications applied april apt are arounds asset assist att&ck att&ck: attached attachment attachments attack attackers attacks attempting audits australian auth authentication automated automatically available back backup band been before begin being believed besides bios bootloader botnet breach breached breaches breaking bug but bypass campaigns can cannot capabilities care cause caution cautious chabin1 chabin2 chain chains channel charts check cisa client clipboard collection command comment: commercial common community companies company complete component compromise compromised computers configuration consist continue continues control controller corporate critical currently customers customers*** cve cyber cybersecurity dashboards dashboards: data day dcsrv debugging defense demands depth describe described desktops detailed detect detected device devices did directory disable disaster discovered discovery discuss discussed diskcryptor dlp documents does domain download downloaded dropping due during email emails emergency emotet encouraged encrypted encrypting encryption end endpoint energy enforcement engages enough ensure escalation especially espionage europe europol even everyone's excessive exchange executed execution exfiltration existing exploit exploitation exploited exploiting exposed exposes exposures extended external facing failures families fatpipe feeds figure file files fix flaw flaws focused following fortinet found friday from fsabin future gained german get giant given glimpse globe good government group hackers has have having helping hidden high highlighting hit host identifier identifying ideologically ideology immediate immediately impact implemented important incident incidents include including increase increased indicator indicators infected infection infections information infrastructure ingress initial install installed installs intel intelligence interfaces internal internet interpreter introduced investigation involve ioc iocs iot ipvpn iran iranian israeali israel issue issued issues iteration its joint kerberos keys kingdom known laptops large largest later lateral laterally latest law leak least leverage leveraging like likely limit links lists lnk load local logs loss made magazine main maintaining making malicious malspam malware manage management manufacturer manufacturing many may method microsoft minimally mitre modify module modules money monitoring months more mosesstaff motivated move movement mpvpn mummy nearly need network new news not november now number off offline often once one ones ongoing online only open opening organization organization's organizations other out outages over part patch patches patching perform permissions persistent phishing pieces possible posture potential powershell precaution preconfigured preferred prevent prevention previously privilege process processor processors products program programs proliferating protected protections provide provided proxy proxyshell psexec public published: purposes pydcrypt range ransom ransomware rapidly read rebuild rebuilding recovery redcurl regarding regular regularly related released remain remote removal required research researchers result resulting resume resuming resurfaced resurgence robust russia’s s4u2self scheduled scripting season sectors security seen self send sensitive september server service services set setting seven severity shared shell shopping should sign significantly since single six some sophisticated source sources spam spamming spearphishing special spider sponsored spreading sso started starting staying steal steps stopped stories subsequent summarize summary supply sure system |
| Tags | Ransomware Spam Malware Tool Vulnerability Threat Patching |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.