One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 4030711 |
| Date de publication | 2022-01-25 16:00:00 (vue: 2022-01-25 16:06:02) |
| Titre | Anomali Cyber Watch: MoonBounce, AccessPress, QR Code Scams and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Linux Malware, Supply-Chain Attacks, Malspam, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
FBI Warns Of Malicious QR Codes Used To Steal Your Money
(published: January 23, 2022)
The Federal Bureau of Investigation (FBI) recently released a notice that malicious QR codes have been found in the wild. These codes, when scanned, will redirect the victim to a site where they are prompted to enter personal and payment details. The site will then harvest these credentials for cybercriminals to commit fraud and empty bank accounts. This threat vector has been seen in Germany as of December 2021.
Analyst Comment: Always be sure to check that emails have been sent from a legitimate source, and that any financial details or method of payment is done through the website. While QR codes are useful and being used by businesses more often, it is easy for cybercriminals to perform this kind of scam. If scanning a physical QR code, ensure the code has not been replaced with a sticker placed on top of the original code. Check the final URL to make sure it is the intended site and looks authentic.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566
Tags: EU & UK, Banking and Finance
MoonBounce: The Dark Side Of UEFI Firmware
(published: January 20, 2022)
Kaspersky has reported that in September 2021, a bootloader malware infection had been discovered that embeds itself into UEFI firmware. The malware patches existing UEFI drivers and resides in the SPI flash memory located on the motherboard. This means that it will persist even if the hard drive is replaced. Code snippets and IP addresses link the activity to APT41, a group that is operated by a group of Chinese-speaking individuals. MoonBounce is highly sophisticated and very difficult to detect.
Analyst Comment: Systems should be configured to take advantage of Trusted Platform Module (TPM) hardware security chips to secure their systems' boot image and firmware, where available. Secure boot is also a viable option to mitigate against attacks that would patch, reconfigure, or flash existing UEFI firmware to implant malicious code.
MITRE ATT&CK: [MITRE ATT&CK] Pre-OS Boot - T1542 | [MITRE ATT&CK] Data Obfuscation - T1001 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Exploitation of Remote Services - T1210 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Hijack Execution Flow - T1574 | |
| Envoyé | Oui |
| Condensat | 'white ‘eu3 ‘mail 100kb 2007 2012 2013 2016 2019 2021 2022 365 44228 45046 abuses access accessed accesspress account accounts achieve active actively activities activity actor actors additional addresses advanced advantage advised affected affects against agency alibaba align all also alternative always among analysis analyst anomali any apache appeared application applied apt apt28 apt41 apt41’s apts archiving are armed article artifacts asks att&ck att&ck: attached attack attacker attackers attacks attempt attempting attempts attributed authentic autostart available backbone backdoor badhatch bank banking based because become been behavioural being believed below: best bids biz’ blog boot bootloader both botnet box’ briefing brute bureau businesses but bypass called campaign campaigns can capabilities capture card carried carry cause caution certificates chain changed channel charts check chen china chinese chips clean client cobalt code codes command comment: commit communications companies company complete complexity component compromise compromised concurrently conduct configuration configured conjunction connections consistently controlled could create creation credential credentials credit critical cryptominers currency currently cve cve‑2017‑11882 cyber cybercriminals dangerous dark darkmusical data day december defence defense deliver department departments deploy deploying deploys depth details detect detecting detection development devices dht different difficult digital directly directorate directs disclosed discovered discovery discuss discussed displays distribute distributed docker documents domain domains done donot download downloaded drive drivers dropper dubbed dumping during earliest early east easy educate effectively email emails embedded embeds employees empty enable enabled enabling encoding encrypted encryption end ending energy engineering ensure enter entities environments espionage europe evasion even every execution exercises exfiltrate exfiltration existing exploit exploitation facing fail fake families family fancybear fbi federal fifteen figure file file/folder files filters fin8 final finance financial financially firewall firmware first five flash flow focus focused follow following foothold force forces forcing foreign found framework fraud from full gain gaining gains game games gedit germany giving glimpse goal gold google gov't government group groups groups’ gru hacking had hands hard hardware harvest has hash have headers help here hide hiding high highly hijack hijacking hit holder horizon hospitality host hours identified image immediately impersonates impersonating implant important include including incorporate incorrect india individuals industrial industry infected infection infector inform information infrastructure initial injection innovative installed instances instrumentation intelligence intended interests internal internet investigation involves ioc iocs iot it's iteration its itself january java javascript job kaspersky kind known konni labor large last lastly late later layering least legitimacy legitimate levels leveraged like likely line link linked linux listed local located log4j log4shell logging logon logs looks low macro magazine mailbox main maintenance make maldocs malicious malspam malware malware: management may means mechanisms media meet memory method methods microcin microsoft middle military millions mimikat minimum mining mirai mitigate mitre module modules money monitoring months moonbounce moonbounce: more most motherboard motivated motivations mozi multiple naming nat net network networks new news next ngrok node non normal not notice november now numerous obfuscation objectives observed occurred office often once ongoing onwards open operate operated operation operations option order org’ organization organizations original others out outside over owner/user p2p package pakistan particularly password password; passwords past patch patched patches payload payment peer perfor |
| Tags | Ransomware Malware Tool Vulnerability Threat Guideline |
| Stories | APT 41 APT 28 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.