One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 3841167 |
| Date de publication | 2021-12-21 16:57:00 (vue: 2021-12-21 17:05:40) |
| Titre | Anomali Cyber Watch: \'PseudoManuscrypt\' Mass Spyware Campaign Targets 35K Systems, APT31 Intrusion Set Campaign: Description, Countermeasures and Code, State-sponsored hackers abuse Slack API to steal |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT31, Magecart, Hancitor, Pakdoor, Lazarus, and Vulnerabilities CVE-2021-21551.. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
NSW Government Casual Recruiter Suffers Ransomware Hit
(published: December 17, 2021)
Finite Recruitment suffered a ransomware attack during the month of October 2021, resulting in the exfiltration of some data. Their incident responders (IR) identified the ransomware as Conti, a fast encrypting ransomware commonly attributed to the cybercriminal group Wizard Spider. The exfiltrated data was published on the dark web, however the firm remains fully operational, and affected customers are being informed.
Analyst Comment: Always check to see if there is a decryptor available for the ransomware before considering payment. Enforce a strong backup policy to ensure that data is recoverable in the event of encryption or loss.
MITRE ATT&CK: [MITRE ATT&CK] Scheduled Transfer - T1029
Tags: Conti, Wizard Spider, Ransomware, Banking and Finance
Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of crypto transactions
(published: December 16, 2021)
Check Point Research has uncovered a new variant of the Phorpiex botnet named Twizt. Historically, Phorpiex utilized sextortion, ransomware delivery, and cryptocurrency clipping. Twizt however, appears to be primarily focused on stealing cryptocurrency and have stolen half a million dollars since November 2020 in the form of Bitcoin, Ether and ERC20 tokens.The botnet features departure from it’s traditional command and control (C2) infrastructure, opting for peer-to-peer (P2P) communications between infected hosts, eliminating the need for C2 communication as each host can fulfill that role.
Analyst Comment: Bots within a P2P network need to communicate regularly with other bots to receive and share commands. If the infected bots are on a private network, private IP addresses will be used. Therefore, careful monitoring of network traffic will reveal suspicious activity, and a spike in network resource usage as opposed to the detection of C2 IP addresses.
MITRE ATT&CK: [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Clipboard Data - T1115
Tags: Phorpiex, Twizt, Russia, Banking and Finance, Cryptocurrency, Bitcoin
‘PseudoManuscrypt’ Mass Spyware Campaign Targets 35K Systems
(published: December 16, 2021)
Kaspersky researchers have documented a spyware that has targeted 195 countries as of December 2021. The spyware, named PseudoManuscrypt, was developed and deployed by Lazarus Group |
| Envoyé | Oui |
| Condensat | 000 10th 15th 195 1st 2019 2020 2021 21551 35k able abuse abuses access account accounts aclip activity actor actors add address addresses administrator advanced adversaries advised affected against aid airline akamai all allow allowing allows also alternative always analyst anomali anomalous anssi antivirus any api appears application approach apt apt31 apt31’s arbitrary archive are around asian assembly assist associated assumptions att&ck att&ck: attached attachments attack attacked attacks attacks: attributed authenticity available avoid aware aws b07504c8144c2a49 back backdoor backup banking base based been before beginning behaviour behind being between bidirectional bitcoin botnet bots bring brute built but byovd called camera campaign campaign: can capture card careful carry casual caution centered chain changed charts check clipboard clipping cluster cobalt cobaltstrike cobra code collected collection collectively come command commands comment: commented commerce commonly communicate communication communications component compromise compromised compromises configuration connections considering consisting constituting contained contains conti control controls copy could countermeasures counterparts countries create credentail credential credentials credit criteria crypto cryptocurrency cuba customers cve cvv cyber cybercriminal damage dark data date dbutil december decryptor default defence defense defenses delete delivers delivery dell departure dependencies deployed depth description details detect detection detections determining developed deviant devices directory discordant discovered discovery discuss discussed distribution doc documented documenting documents dollars domains download downloading downloads driver drivers drop drops dumping during each early eliminating email embedded encoding encrypting encryption enforce ensure entirety erc20 escalation ether evading evasion even event exchanges’s exe execute executes execution exfiltrate exfiltrated exfiltrating exfiltration exploit exploitation exploited exposes external extra facilitate facing fake fast features fetched fickerstealer figure file files finance financial finite firm first flight flow focused following force form format found frequent from fulfill fully functionality functioning further furthermore gaming glimpse government grants group hacked hackers half hancitor happen harvest has have haven’t help hidden hijack hijacking historically hit holder holidays home host hosted hostile hosts however hundreds ibm ics identified identify identifying iis illegitimate impair impersonate implemented import imported imports inbound incident includes including increase index indicate indicating indicator indicators industrial industry infected infection inflict information informed infrastructure initial injection input inputted inserted install installation installed installers instrumentation intelligence international internet interpreter intrusion intrusions investigated investigating investigations involved ioc iocs iranian it’s iteration itg17 itself january javascript kaspersky kernel key keylogging known labs late latest launch launcher launches layer lazarus lead legitimate limit line linked linking links load loaded loader local logic login login0tool logon logs loss maas machine machines macro macros magazine magecart maintain maintained malicious malware management manipulation manner masquerading mass master match mcafee mechanisms mesh method mic million mimikatz mitigate mitre modbus modify module monitor monitoring month months most mounting muddywater name named need net network new news not noted november nsw number obfuscated obfuscating observed october office often ole only onto opened opening operational opportunistic opposed opting other out outbound outlook over owa own owo owowa owowa: p2p package packages page pakdoor pakdoor; panel password passwords past patched patterns payload payloads payment peer persistence persistent phorpiex pipe platforms point policy pony popen possess posture poten |
| Tags | Ransomware Malware Vulnerability Threat Guideline Medical |
| Stories | APT 41 APT 38 APT 28 APT 31 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.