One Article Review
Accueil - L'article:
Source Anomali.webp Anomali
Identifiant 3757325
Date de publication 2021-12-07 16:04:00 (vue: 2021-12-07 16:05:43)
Titre Anomali Cyber Watch: Nginx Trojans, BlackByte Ransomware, Android Malware Campaigns, and More
Texte The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Ransomware, Maldocs, E-Commerce, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New Malware Hides as Legit Nginx Process on E-Commerce Servers (published: December 2, 2021) Researchers at Sansec discovered NginRAT, a new malware variant that has been found on servers in the US, Germany, and France. Put in place to intercept credit card payments, this malware impersonates legitimate nginx processes which makes it very difficult to detect. NginRAT has shown up on systems that were previously infected with CronRAT, a trojan that schedules processes to run on invalid calendar days. This is used as a persistence technique to ensure that even if a malicious process is killed, the malware has a way to re-infect the system. Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Shared Modules - T1129 Tags: NginRAT, CronRAT, Nginx, North America, EU How Phishing Kits Are Enabling A New Legion Of Pro Phishers (published: December 2, 2021) Phishing kits, such as XBALTI are seeing increased use against financial institutions. Mixing email with SMS messages, attackers are targeting companies such as Charles Schwab, J.P. Morgan Chase, RBC Royal Bank and Wells Fargo. Victims are targeted and asked to verify account details. The attack is made to appear legitimate by redirecting to the real sites after information has been harvested. Analyst Comment: With financial transactions increasing around this time of year, it is likely financially themed malspam and phishing emails will be a commonly used tactic. Therefore, it is crucial that your employees are aware of their financial institution's policies regarding electronic communication. If a user is concerned due to the scare tactics often used in such emails, they should contact their financial institution via legitimate email or another form of communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel. Tags: Phishing, XBATLI Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors (pub
Envoyé Oui
Condensat “cross 000 150 2013 2016 2021 2022 300 31207 34473 34523 39237 39238 account acquaintances actions activation active activists activity actor actors adapting addition additional adoption advanced advisory after against alexander alien all allow allows already also always america among analysis analyst analysts anatsa android anomali another antivirus any app appear appears application applications applying appropriate apps april apt apt37 arbitrary archive are around ask asked assessed att&ck att&ck: attached attachment attack attackers attacks attempt attempts automatically autostart available avoid avoided avoiding aware back backup bank banking because been behavioural being beyond black: blackbyte blocks bolshev boot breached bugs business calendar campaigns can capability capture card carefully cause chained changes channel charles charts chase check checks client cobalt code coin collected command comment: commerce commonly communication companies company's compromised concept concerned conducted configuration connections consistently consists consultants contact contain containing continues continuity control could cover credential credentials credit criminals cronrat crucial cve cves cyber data days december defectors defenses deliver deobfuscate/decode deploy deployed destination details detect device devices difficult directory discovered discovery discuss discussed disruption distribute document does domains downloaded downloaded; due dumping during ease easier easily educate effective electronic email emails employees enables enabling encrypted engineering ensure entities entry environment ermac even exchange execution exfiltration exploit exploitation exploited facebook facing factors fargo faxed figure file files filter financial financially firewall fitness follow followed following form formatting found france from function functionality germany get glimpse going good google government governments grammar group hacked harvested has have having here hides hijack hirvonen hold how hp’s human hydra identified identify impact impacted impersonates impersonation implement implemented important include increased increasing indicative individuals infect infected inform information informed infrastructure ingress inhibit inject injection install installation installing instead institution institution's institutions intelligence intercept interpreter invalid ioc iocs issued it's iteration journalists killed kits known korea korean lately laterally layer legion legit legitimate leverages likely located logon logs losing lot machine made magazine maintain maintaining make makes maldocs malicious malspam malware malware: masquerading may messages methods mfp mfps microsoft miners mitre mixing models modify modules more morgan move multi multiple name nation nature network networks new news nginrat nginx non normal north not novel november now number numerous obfuscated observed obtain often old once only open organization organizations other others outside over owner/user pain paramount particularly party passwords patch patched patches paying payload payments peninsula performed permissions persistence persistent personnel phase phishers phishing place plain plans play points poised policies poor port poses posture potential potentially powershell previously printed printer printers printing” prior pro process processes proof proofpoint proper properly properties protocol protocols provide proxyshell public published: purposes put ransomware rar rbc readers ready real reaper records recovery redirecting referred regarding region registered registry regularly related released remain remote replace report reported requests researchers resource retrieval retrieved reviewed rights royal rtf rtf’s rules run said same samples sansec say scan scanned scanners scarcruft scare schedules schwab screen scripting scurcraft secure security seeing sending sense sensitive serve server servers services set shared shells should shown since site sites sms social software solution sometimes
Tags Ransomware Malware Tool Vulnerability Threat Cloud
Stories APT 37
Notes ★★★★
Move


L'article ne semble pas avoir été repris aprés sa publication.


L'article ne semble pas avoir été repris sur un précédent.
My email: