One Article Review
| Source |  BAE |
|---|---|
| Identifiant | 419214 |
| Date de publication | 2017-10-16 22:32:36 (vue: 2017-10-16 22:32:36) |
| Titre | Taiwan Heist: Lazarus Tools and Ransomware |
| Texte | Written by Sergei Shevchenko, Hirman Muhammad bin Abu Bakar, and James WongBACKGROUNDReports emerged just over a week ago of a new cyber-enabled bank heist in Asia. Attackers targeting Far Eastern International Bank (FEIB), a commercial firm in Taiwan, moved funds from its accounts to multiple overseas beneficiaries. In a story which reminds us of the Bangladesh Bank case – the culprits had compromised the bank's system connected to the SWIFT network and used this to perform the transfers. In recent days, various malware samples have been uploaded to malware repositories which appear to originate from the intrusion. These include both known Lazarus group tools, as well as a rare ransomware variant called 'Hermes' which may have been used as a distraction or cover-up for the security team whilst the heist was occurring. The timeline below provides an overview of the key events: 01 October 2017  Malware compiled containing admin credentials for the FEIB network. 03 October 2017  Transfers using MT103 messages were sent from FEIB to Cambodia, the US and Sri Lanka. Messages to cover the funds for the payments were incorrectly created and sent. 03 October 2017  Breach discovered and ransomware uploaded to online malware repository site. 04 October 2017 Individual in Sri Lanka cashes out a reported Rs30m (~$195,000). 06 October 2017  |
| Envoyé | Oui |
| Condensat | #110 #2; #5filetokenbroker #ed #md5 $195k $60m $s* $u* //in both version 2 //in version 2 • 10 • destination • firewall • practice press ok * • * * • 10 * • backup* *it /all /create /et /fmalware /for= /maxsize=401mb /maxsize=unboundedthe /mo /on= /quietfollowing /ru /sc /st /tn /tr 000 00:00 01:01:31 01:01:37 01:11:336 02:13:01 02:50:152017 02:50:16 03:25:00 03:32:47 0419 0422 0423 048 08:58:00 09:27:438 0dd7da89b7d1fe97e669f8b4156067c8 0edbad9e6041d43f97c7369439a40138 0x0419 0x0422 0x0423 0x517a4563 0x77506f66 1 and sample in feb $s1 = 1 only $s1 = 1 test build 11:09:30 11:09:305 11:09:307 11:34:074 12th 15:03:30file 15:37:313 17:32:589 2017 2017/10/11 23:59 2ct4u1vbdjfqkdewmexgcws9sfnmk1gltf@bitmessage 2cvczl1xfve1yggkwebgg1ge6xj5pygfgw@bitmessage 30m 3c9e71400b72cc0213c9c3e4ab4df9df 445 4698; • 5357 61075faba222f97d3367866793f0907b 62217af0299d6e241778adb849fd2823 9563e2f443c3b4e1b00f25be0a30d56e 97aaf130cfa251e5207ea74b2558293d ability able about above abu accept access account accounts accounts: across active activity activity; • actors actually add addition additional additions address addresses admin administrative after against agent ago albeit alert alerted algorithm alknvfoi4tbmiom3t40iomfr0i3t4jmvri3tb4mvi3btv3rgt4t777 all allegedly allowed also amounts analyse analysis analysisseveral another anti antivirus any appear appears appendix application applying archive are arrested arrived as: asia assumed assuming attach attack attacked attackers attacks attempt attempts attest attributive auditing available avoid aware b27881f59c8d8cc529fa80a58709db36 bac • * back back: backdoor backup bae baesystems bak • * bakar bangladesh bank banks basic be: become been before beginning behavioural behind being belarusian below below: beneficiaries beneficiary between bin bit bitcoin bitmap bitsran bkf • backup* blacklisting blend blogpost bmp border both breach busy but bytes c&c c&cs called calls cambodia can capture capturing carpet case cases cash cashes category center centre ceylon change character checks chmalware chosen chreserve: clearly client clues cmd code/data codes: collect com/buy com/en/cybersecurity/swift combining coming command command: commands commands: commercial common communication community company compile compiled complex compromised computers conclusionsit conducted configuration configured confirm confirmed confusion connect connected connecting connection connections connects connect†considerably considered consisted consists constructed constructs contact contain contained containing contains content contents context continue continued continues control controlling controls copies copy correct corresponds could couldn countries coupled cover covert create created createprocess creates creation creations credentials cross crucial cryptoapi culprits currentcontrolset currentversion custom customer cyber cycle d08f1211fe0138134e822e31a47ec5d4 d08f1211fe0138134e822e31a47ec5d4b27881f59c8d8cc529fa80a58709db363c9e71400b72cc0213c9c3e4ab4df9df0edbad9e6041d43f97c7369439a4013897aaf130cfa251e5207ea74b2558293d62217af0299d6e241778adb849fd28230dd7da89b7d1fe97e669f8b4156067c861075faba222f97d3367866793f0907bfile data databases dataderzhat datapereslat dates day days ddos debugger decompressed decrypt decrypted decryptor decrypts delay delete deletes delimit delimited deployment described descriptiontmbmsrv designed desktop despit |
| Tags | Medical |
| Stories | Wannacry APT 38 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.