SOC News: Article

One Article Review

Accueil - L'article:

Source	Anomali
Identifiant	3999162
Date de publication	2022-01-19 22:45:00 (vue: 2022-01-19 23:05:34)
Titre	Anomali Cyber Watch: Russia-Sponsored Cyber Threats, China-Based Earth Lusca Active in Cyberespionage and Cybertheft, BlueNoroff Hunts Cryptocurrency-Related Businesses, and More
Texte	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, HTTP Stack, Malspam, North Korea, Phishing, Russia and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Techniques (published: January 17, 2022) The Earth Lusca threat group is part of the Winnti cluster. It is one of different Chinese groups that share aspects of their tactics, techniques, and procedures (TTPs) including the use of Winnti malware. Earth Lusca were active throughout 2021 committing both cyberespionage operations against government-connected organizations and financially-motivated intrusions targeting gambling and cryptocurrency-related sectors. For intrusion, the group tries different ways in including: spearphishing, watering hole attacks, and exploiting publicly facing servers. Cobalt Strike is one of the group’s preferred post-exploitation tools. It is followed by the use of the BioPass RAT, the Doraemon backdoor, the FunnySwitch backdoor, ShadowPad, and Winnti. The group employs two separate infrastructure clusters, first one is rented Vultr VPS servers used for command-and-control (C2), second one is compromised web servers used to scan for vulnerabilities, tunnel traffic, and Cobalt Strike C2. Analyst Comment: Earth Lusca often relies on tried-and-true techniques that can be stopped by security best practices, such as avoiding clicking on suspicious email/website links and or reacting on random banners urging to update important public-facing applications. Don’t be tricked to download Adobe Flash update, it was discontinued at the end of December 2020. Administrators should keep their important public-facing applications (such as Microsoft Exchange and Oracle GlassFish Server) updated. MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 \| [MITRE ATT&CK] Exploit Public-Facing Application - T1190 \| [MITRE ATT&CK] Phishing - T1566 \| [MITRE ATT&CK] Command and Scripting Interpreter - T1059 \| [MITRE ATT&CK] Scheduled Task - T1053 \| [MITRE ATT&CK] System Services - T1569 \| [MITRE ATT&CK] Windows Management Instrumentation - T1047 \| [MITRE ATT&CK] Account Manipulation - T1098 \| [MITRE ATT&CK] BITS Jobs - T1197 \| [MITRE ATT&CK] Create Account - T1136 \| [MITRE ATT&CK] Create or Modify System Process - T1543 \| [MITRE ATT&CK] External Remote Services - T1133 \| [MITRE ATT&CK] Hijack Execution Flow
Envoyé	Oui
Condensat	“service 0199 2007 2008 2011 2013 2016 2017 2018 2019 2020 2021 2022 20h2 21907 26855 26857 26858 27065 32648 44228 472 ability abuse access accompanied account accounting accounts active activity actors additional address admin administrative administrator administrators adobe advanced advisory advisory: affairs affected affecting affects affiliates after against agencies agencies: agency agreement agreements aim alibaba align alleged allows alongside already also amazon among amount analysis analyst andrey announced anomali anomalous another antivirus apache application applications apply approach apt apt28 apt29 archive are armed around arrest arrested arrived arsenal artifacts aspects assigned associates att&ck att&ck: attached attack attacked attackers attacks attacks; attempt attributed august authorities availability avoiding aware backdoor badusb bangladeshi bank banners base based bear bears been before behavior being believed below below: bessonov best between beware binary biopass bits blackmatter blamed block blockchain blocking bluenoroff boasts both box briefing browser brute bureau business businesses but buy c++ campaign campaigns can capabilities carbanak card causing central certain chain charts check chen china chinese cisa clicking cluster clusters cms cobalt code collected collecting collection colonial come comeback command commands comment: committing common companies complex compromise compromised compromising computer computers conduct conducts configuration configured confirmed connected consider considered contacts containing contains content continuity contractors contracts control convincing cooperation counterfeit covers covid cozy create credential credentials critical crypto cryptocurrency crysys currentcontrolset custom cve cyber cyberattack cyberespionage cybersecurity cybertheft danger darkside data dccw december decorative defaced defacement defence defense defenses defi denying deobfuscate/decode depth describe desktop detect detected detection detections developer device devices different diplomatic directorate directory disabled” disconnection discontinued discovered discovers discovery discuss discussed disguised displays disposal disruptions distributing document documented documents doesn’t dollars don’t doraemon double down download downloaded drive driver dumping duration during earlier earth ease educated education elevation email email/website employees employs enable enabled enclosed encoded encoding encrypted end energy enforcers engines ensure entities entry environments escalation esentire especially espionage essential estimated ethereum evasion even exchange exciting executable execute executed execution exercise exploit exploitation exploited exploiting exploits exposed extension extensions extensive extent external extremely facing fancy far fbi featuring federal federation fetches figure file files fin7 financially fintech firms firmware first five fixed flash flow follow followed following force forced forces foreign forge found fraudulent fresh from fruitless fsb fuel funnyswitch future gambling gandcrab gaps gennadyevich geopolitical get gift glassfish glimpse going golang google gootloader government great griffon group group’s groups gru guidance guidelines hackers had half has have health healthcare hhs hide high hijack hitting hklm hole hospitality host hosted however http human hundreds hunt hunts identified identifies identify identity imitating impact impair impersonating implement important incident included includes including including: increased indicator indicators industry infected infection information infrastructure ingress initial inject inside install installation instrumentation insurance intelligence intended interests internal international internet interpreter intezer intrusion intrusions investigation investor involvement ioc iocs irreversible issued items iteration its itself january java javascript jobs joint july kaspersky keep kerberos keyboard keystrokes knocks know known korea korean lab language lan
Tags	Ransomware Malware Tool Vulnerability Threat Patching Guideline
Stories	APT 41 APT 38 APT 29 APT 28 APT 28
Notes
Move

L'article ne semble pas avoir été repris aprés sa publication.

L'article ne semble pas avoir été repris sur un précédent.