One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 3928542 |
| Date de publication | 2022-01-05 19:55:00 (vue: 2022-01-05 20:05:45) |
| Titre | Anomali Cyber Watch: $5 Million Breach Extortion, APTs Using DGA Subdomains, Cyberespionage Group Incorporates A New Tool, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyberespionage, Data breach, DGA, Infostealer, Phishing, Rootkit, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Fintech Firm Hit by Log4j Hack Refuses to Pay $5 Million Ransom
(published: December 29, 2021)
The Vietnamese crypto trading, ONUS, was breached by unknown threat actor(s) by exploiting the Log4Shell (CVE-2021-44228) vulnerability between December 11 and 13. The exploited target was an AWS server running Cyclos, which is a point-of-sale software provider, and the server was only intended for sandbox purposes. Actors were then able to steal information via the misconfigured AWS S3 buckets containing information on approximately two million customers. Threat actors then attempted to extort five million dollars (USD).
Analyst Comment: Although Cyclos issued a warning to patch on December 13, the threat actors had already gained illicit access. Even though Log4Shell provided initial access to the compromised server, it was the misconfigured buckets the actors took advantage of to steal data.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203
Tags: ONUS, Log4Shell, CVE-2021-44228,
Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends
(published: December 29, 2021)
Palo Alto Networks Unit42 researchers have published a report based on their tracking of strategically-aged malicious domains (registered but not used until a specific time) and their domain generation algorithm (DGA) created subdomains. Researchers found two Pegasus spyware command and control domains that were registered in 2019 and were not active until July 2021. A phishing campaign using DGA subdomains that were similar to those used during the SolarWinds supply chain attack was also identified.
Analyst Comment: Monitor your networks for abnormal DNS requests, and have bandwidth limitations in place, if possible, to prevent numerous connections to DGA domains. Knowing which DGAs are most active in the wild will allow you to build a proactive defense by detecting any DGA that is in use. Anomali can detect DGA algorithms used by malware to assist in defending against these types of threats.
MITRE ATT&CK: [MITRE ATT&CK] Dynamic Resolution - T1568 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Application Layer Protocol - T1071
Tags: DGA , Pegasus, Phishing
Implant.ARM.iLOBleed.a
(published: December 28, 2021)
Amnpardaz researchers discovered a new rootkit that has been targeting Hewlett-Packard Enterprise’s Integrated Lights-Out (iLO) server managemen |
| Envoyé | Oui |
| Condensat | 1password 2019 2020 2021 44228 44832 able abnormal access according actions active actively activity actor actors additional advanced advantage advisory affected affecting against aged ahnlab algorithm algorithms allow already also although alto always amnpardaz among analyst analyzed android anomali another antivirus any apache apache’s api app appender application applications approximately apps apt apts arbitrary archive are arm asec ask assist att&ck att&ck: attached attachment attachments attack attacks attempted attempts authentic autostart available avoid aws bandwidth bank based because been behind being between bitwarden blacktech boot brazil’s brazilian breach breached browser browsers buckets build but called campaign can capable capture carefully cases caution chain charts check checkmarx china chrome chromium circuit client code collecting command commands comment: communicating company company’s compromised configuration configured confirm connections contain containing contains control controlling core corporate correct could countries created creating credentials crypto customers cve cyber cyberespionage cyble cyclos data database datasource december default defending defense delivered deployed detect detecting detection: devices dga dgas different directory discovered discuss discussed display distributed dns documents dollars domain domains download downloaded downloading drop dubbed during dwm dynamic easier easy edge element email emails employ employee enabled encoding english ensure enterprise’s even everything exe executable execute execution exploit exploitation exploited exploiting extort extortion extreme fake families favor figure file files financial fintech firm firmware first five flagpro flagpro: following found fraudulent from functionality further furthermore gained generation get given glimpse google group groups hack had hardware has have here hewlett hit host however http identified illicit ilo ilobleed impacted impersonating implant important including incorporates infection infects information infostealer initial insert inside installation installing instance instead integrated intelligence intended ioc iocs issued itaú iteration japan jar java jdbappender jdbc jndi july keep kinds knowing known lastpass later lateral layer lights like limit limitations located location log4cxx log4j log4net log4shell logging login logon logs lot ltau macro magazine make malicious malware malwarehunterteam management manager manipulate many method million misconfigured mitigations: mitre modify modules monitor more most movement must named nearly need needs network networks new news normal not note ntt numerous observed obtain offers official one only onus opened opera operating other others out outside overboard package packard page palmerworm palo panda particularly party password passwords patch pay payloads pegasus permissions phishing place play point policies popular possible potential prevent prior proactive product progress projects protected protocol provide provided provider provider’s published published: purposes ransom rar receive redirect redline referencing refuses registered related releases reliance remote report reported requesting requests researchers resolution revealed reviewed rootkit running sale sample sandbox save saved saving security segmentation sending sensitive server servers services settings share shared sharing should shouldn't shows similar sinc/sincronizador since software solarwinds some sophisticated sources speaking spearphishing specific spyware startup steal stealer stealing stole stolen store stores stories strategically subdomains subproject such summarize summary supply suspicion system t1071 t1132 t1203 t1547 t1555 t1566 t1568 t1570 tags: tailored taiwan target targeting technology temp than theft them then these third those though threat threats through time took tool tools topics: tracking trading traffic transactions transfer treated trending trends twitter two types unauthorized unibanco unit42 unknown until un |
| Tags | Malware Hack Tool Vulnerability Threat |
| Stories | LastPass |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.