One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 4066974 |
| Date de publication | 2022-02-01 18:55:00 (vue: 2022-02-01 19:07:39) |
| Titre | Anomali Cyber Watch: Researchers Break Down WhisperGate Wiper Malware, Trickbot Will Now Try To Crash Researcher PCs to Stop Reverse Engineering Attempts, New DeadBolt Ransomware Targets QNAP Devices |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: CVE-2022-21882, DazzleSpy , DeadBolt, DTPacker, Trickbot, and WhisperGate. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Windows Vulnerability With New Public Exploits Lets You Become Admin
(published: January 29, 2022)
A new vulnerability, tracked as CVE-2022-21882 was discovered by researcher RyeLv in early January 2022. The exploit is a bypass to a previous vulnerability, CVE-2021-1732, and affects all Windows 10 machines that have not applied January’s Patch Tuesday patch. This vulnerability is a privilege escalation exploit, which grants administrator level privileges and allows for the creation of new admin accounts, as well as lateral movement. The exploit abuses a flaw in the manner in which the kernel handles callbacks, changing the flag ConsoleWindow. This will modify the window type, and tricks the system into thinking tagWND.WndExtra is an offset of the kernel desktop heap, thereby granting administrator level read and write access.
Analyst Comment: Apply patches when they become available to keep your systems and assets protected from the latest attacks and vulnerabilities. This is essential when new vulnerabilities are discovered as threat actors will actively attempt to exploit them. A strong patch management policy combined with an effective asset management policy will assist you in keeping your assets up to date and protected.
MITRE ATT&CK: [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068 | [MITRE ATT&CK] Process Discovery - T1057
Tags: Windows, Priviledge escalation, CVE-2021-1732, CVE-2022-21882
Shipment-Delivery Scams Become the Favored Way to Spread Malware
(published: January 28, 2022)
Researchers at Cofense and Checkpoint have documented a series of Phishing campaigns throughout Q4 of 2021. The campaign imitates large known delivery brands such as DHL or the US postal service, and aims to abuse the trust these companies have associated with them to manipulate their targets into clicking malicious links or files. The most prominent tactic is to provide a link to a missed package, capitalizing on current global supply chain issues. Once clicked, TrickBot malware is delivered, though other campaigns are delivering as of yet non-attributed trojans. The malicious links in these campaigns are not particularly sophisticated, and are easily identified as false as they lead to domains outside the company they are targeting.
Analyst Comment: Never click on attachments or links from untrustworthy sources, and verify with the legitimate sender the integrity of these emails. Treat any email that attempts to scare, coerce, provide a time limit or force you to click links or attachments with extreme suspicion.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Phishing |
| Envoyé | Oui |
| Condensat | $1100 $184 ‘donald 000 1732 1st 2020 2021 2022 21882 25th 27th 30869 30th 4034 4th able abuse abused abuses abusing access account accounts active actively activity actors add addition additional address admin administrator adopting affected affects after against agent aims all alleged allows also although always amassment analysis analyst analyzing anomali anomalous another ant anti any application applied apply approach are array artifacts asks asset assets assist associated asyncrat att&ck att&ck: attached attachment attachments attack attacks attempt attempts attributed australia automated available ave avoidance back backdoor backup bc1qnju697uc83w5u3ykw7luujzupfyf82t6trlnd8 beautify become been before began being between bitcoin bitcoins blockchain boot border both brands break btc but bypass callbacks camouflage campaign campaigns can canada capabilities capitalizing care case catalina caused centos centralizing chain changing channel charge charged charts check checkpoint cisco claimed click clicked clicking cockroach code coerce cofense collect collection combined command commands comment: common communicate companies company comparison comprehensive compromise compromised computer computer’s computers configuration configurations connected connection connections consider consolewindow contact contains contract contracts control copyright cost could countries crash crashes create creating creation credential credentials critical crypto cryptocurrency current cve cyber cyberattack cycle data date dated day dazzlespy dazzlespy: deadbolt dealing debian december decrypt decryption defacement default defender defense defenses delete deliver delivered delivering delivers delivery demands democracy depth desktop destroying destruction destructive detailing detect detection devices dhl discord discovered discovery discuss discussed disguised disrupt distributions distributor dll documented domain domains donald down downloader downloading downloads dridex drives dropped dropper dtpacker dual dubbed due during dynamic dynamically early easily eazfuscator editor effective either email emails embedded employed enabled encrypted enforce engineering ensure enumerating environment escalation eset essential established evasion event evm excel execute executed executes executing execution exfiltration exploit exploitation exploits exposed exposing extreme facilitate facing false favicon favored fetch figure file files first fixed flag flaw focused following force form formbook fraudulent from function functionality functions funds further furthermore gain gains gang geopolitical glimpse global goal google government granting grants greater group handles hardcoded harm has have having heap help hex hide hijacked history hole hong hosted however https ibm ico identified identify identifying iframes image imitates impact impair implement including increase increased indicate indicators individual infection inflate information infostealers infrastructure initial inject injection ins insecure installed instead integrity intelligence intent interference intermediate internet interpreter introduction investigating investigations invites ioc iocs issues it’s iteration its itself january january’s javascript july keep keeping kernel key known kong large late lateral latest launching lead left legitimacy legitimate lets level leveraged limit line link links linux loaded loader local log logical login logs loop machine machines macos macro magazine magecart maintain malicious malware malwarebytes management manipulate manner many maria marketplaces master match may means media memory microsoft million minimize misconfiguring missed mitigate mitigation mitre modification modify modular money monitor monitoring most movement named namesake net network never new news non not noted notes noticeable notpetya november now obfuscated obfuscation observed office offset once one only open operated org other outbound outlets outside over overload own owned owner package packer page paid part particularly password pat |
| Tags | Ransomware Malware Vulnerability Threat Guideline |
| Stories | NotPetya |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.