One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 4208291 |
| Date de publication | 2022-03-01 16:01:00 (vue: 2022-03-01 16:05:52) |
| Titre | Anomali Cyber Watch: Information-Stealing and Wiping Campaigns Target Ukraine, Electron Bot Is After Social Media Accounts, Attackers Poison Application and Library Repositories, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Iran, Russia, Spearphishing, Ukraine, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
(published: February 25, 2022)
Researchers at Unit 42 identified an attack targeting an energy organization in Ukraine. Ukrainian CERT has attributed this attack to a threat group they track as UAC-0056. The targeted attack involved a spear phishing email sent to organization employees containing a malicious JavaScript file that would download and install a downloader known as SaintBot and a document stealer called OutSteel. Actors leverage Discord’s content delivery network (CDN) to host their payload. Goal of this attack was data collection on government organizations and companies involved with critical infrastructure.
Analyst Comment: Administrators can block traffic to discordapp[.]com if their organization doesn’t have a current legitimate use of Discord. Implement attack surface reduction rules for Microsoft Office. Train users to recognize, safely process, and report potential spearphishing emails.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Modify Registry - T1112
Tags: Russia, Ukraine, OutSteal, SaintBot, UAC-0056, TA471, Lorec53, SaintBear, Ukraine-Russia Conflict 2022, Operation Bleeding Bear
Disruptive HermeticWiper Attacks Targeting Ukrainian Organizations
(published: February 25, 2022)
Researchers at Secureworks have identified and investigated reports of Ukrainian government and financial organizations being impacted by distributed denial of service and wiper attacks. Between 15-23 Feb intermittent loss of access to a large number of government websites belonging to the Ukrainian Ministry of Foreign Affairs, Ministry of Defense, Security Service, Ministry of Internal Affairs, and Cabinet of Ministers. PrivatBank and Oschadbank. Along with this, the threat actors also targeted some government and financial organizations in Ukraine to deploy a novel wiper dubbed ‘HermeticWiper’ which abuses a legitimate & signed EaseUS partition management driver. In other attacks targeting Ukraine researchers also observed 13 Ukrainian government websites defaced and Tor forums listing data for Ukrainian citizens being available for sale.
Analyst Comment: Organizations exposed to war between Russia and Ukraine should be on high alert regarding the ongoing cyberattacks. Implement defense-in-depth approach including patch management, anti-phishing training, disaster recovery plans, and backing up your information and systems.
MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485 | |
| Envoyé | Oui |
| Condensat | $290 'browser “temp ‘fast 000 000+ 0056 150 2017 2019 2021 2022 28799 2fa 40+ 40539 44077 443 6210t 8000 8001 able about abuses access account accounts active actively activities activity actors additional additionally addresses administrators advanced adversaries affairs affected africa after against alert alien all allow allows along already also alto always america analysis analyst analyzed android anomali anti any app application applications approach apps apt are as5304t as6102t as6602t asia asking asks asustor att&ck att&ck: attached attack attacker attacker's attackers attacks attributed authentication authors autostart available avoid backdoor backing backup banking based beacons bear because become been being belgium believing belonging below: bermuda best better between bitm bleeding block boot bot both brand briefing browser btc bulgaria but bypass bypasses cabinet called campaign campaigns can canopy capable carry case cases cdn cert chain change channel charts check china cisa citizens civil claim cleaner’ clever clicking clicks closely cnmf code collate collection com command comment: commonly communication companies compilation compromise conducted configured conflict connect connected consisting contact containing content contractors control controlled controlling controls credentials critical crypto cryptocurrency current currently custom customers cve cyber cyberattacks cyberespionage d0x darkseoul data day ddos deadbolt decryption defaced default defense defenses delivery denial deploy depth designed despite destruction details detect detected detection detections determined devices devious directly disaster discord discord’s discordapp discovered discuss discussed disruptive distributed document doesn’t domains download downloaded downloader downloading downloads driver dubbed due dwarf early easeus easy effort electron email emailing emails employees encrypted encryption energy enforce engages engine ensure enter enterprise espionage establish etc europe even event evidence excel execution exfiltration expected exploit exposed extension facing factor fake fbi feb february figure file fileless filelessly files finance financial financially fireeye first flow following foothold foreign forums found freecivilian from full gain game games gaming generate get glimpse goal google government granted group groups guidance has have having help hermeticwiper high highlights hijack host however identified identify ignore impact impacted impair impersonating implement importance important include including indicate indicators industries infamous infected infection infections infects information infrastructure ingress initial initially injection inside install installations intelligence intercepting interception interesting intermittent internal internet interpreter investigated involved ioc iocs iran iranian italy iteration its january javascript jfrog joint july key kiosk kitten known large least left legal legitimate leverage leveraging libraries library licensing like likely link linked listing loaded log login logon logs long looking lookup lorec53 loss lot machine machines magazine main mainly malicious malware malwarebytes man management manipulation many masquerading master match media method mfa microsoft microsoft’s middle million ministers ministry misuse mitm mitre mobile mode mode; models modify monitor monitoring more mori most mostly motivated motivation muddywater multi multiple name named names nas ncsk need network networks new newly news normal north not notes notification novel novice novnc now npm nsa number numbers obfuscated observed offer office official one ongoing only operation optimisation organization organizations oschadbank other out outsteal outsteel over own package packages palo particular particularly partition party passcode patch payload payloads perform permissions persistence persistent phishing place plans play plethora plex plus point poison poisoning policy popular ports portugal possible potential potentially powershell |
| Tags | Ransomware Malware Tool Vulnerability Threat |
| Stories | |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.