One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 4285837 |
| Date de publication | 2022-03-15 16:46:00 (vue: 2022-03-15 17:05:52) |
| Titre | Anomali Cyber Watch: Government and Financially-Motivated Targeting of Ukraine, Conti Ransomware Active Despite Exposure, Carbanak Abuses XLL Files, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Excel add-ins, Phishing, Russia, Ukraine, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Webinar on Cyberattacks in Ukraine – Summary and Q&A
(published: March 14, 2022)
As the military conflict in Ukraine continues, the number of cyberattacks in Ukraine is expected to rise in the next six months, according to Kaspersky researchers. Most of the current attacks on Ukraine are of low complexity, but advanced persistent threat (APT) attacks exist too. Gamaredon (Primitive Bear) APT group continues its spearphishing attacks. Sandworm APT targets SOHO network devices with modular Linux malware Cyclops Blink. Other suspected APT campaigns use MicroBackdoor malware or various wipers and fake ransomware (HermeticRansom, HermeticWiper, IsaacWiper, WhisperGate). Honeypot network in Ukraine detected over 20,000 attacking IP addresses, and most of them were seen attacking Ukraine exclusively.
Analyst Comment: Harden your infrastructure against DDoS attacks, ransomware and destructive malware, phishing, targeted attacks, supply-chain attacks, and firmware attacks. Install all the latest patches. Install security software. Consider strict application white-listing for all machines. Actively hunt for attackers inside the company’s internal network using the retrospective visibility provided by Anomali XDR.
MITRE ATT&CK: [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Pre-OS Boot - T1542 | [MITRE ATT&CK] Fallback Channels - T1008 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Disk Content Wipe - T1488 | [MITRE ATT&CK] Inhibit System Recovery - T1490
Tags: Gamaredon, Sandworm, MicroBackdoor, Hades, HermeticWiper, HermeticRansom, IsaacWiper, Pandora, Cyclops Blink, Government, Russia, Ukraine, UNC1151, Ghostwriter, Belarus, Ukraine-Russia Conflict 2022, Operation Bleeding Bear
Alert (AA21-265A) Conti Ransomware (Updated)
(published: March 9, 2022)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), with assistance from the U.S. Secret Service has updated the alert on Conti ransomware with 98 domain names used in malicious operations. Conti ransomware-as-a-service (RaaS) operation is attributed to the threat group Wizard Spider also known for its Trickbot malware. The group’s internal data and communications were leaked at the end of February 2022 after they announced support for Russia over the conflict in Ukraine.
Analyst Comment: Despite the increased attention to Conti ransomware group, it remains extremely active. Ensure t |
| Envoyé | Oui |
| Condensat | “trash 000 0847 10074 102 130 179 2007 2014 2015 2016 2017 2018 2018; 2019 2021 2022 240 26143 26143: 265a 294 296:1 5195 967 aa21 abandoned ability about abused abuses access according across act active actively activities activity actors actual add added adding additional address addresses administration advanced affect affected africa after against agency aiming akamai alert alias align all allow allows also always among amplification analysis analyst android announced anomali anti anyway appeared appears application april apt apt28 arabia are are: armed armenian around asert asia asks assist assistance associated att&ck att&ck: attached attachments attack attacker attacker’s attackers attacking attacks attempts attention attributed august average aware back backed banking banks based bazarbackdoor bear became been before being belarus belarusian believed below: bgh big binary black bleeding blink block blocks blogspot bokbot boot bot botnet botnets bots brazil breaking broadband browsing btrfs buer buffer business but buyers c2s cache called calling came campaign campaigns can canada carbanak carbanak/darkside carbon cause caused cautious cell chain changing channel channels charts cheats check china chinese choice cisa clicks clipboard cloudflare cobalt code collaboration colonial command comment: commodity communications companies company's company’s complexity component compromise concern conduct conducted conflict consider contain content conterfeight context conti continued continues control copy could countries cow crack created credential credentials crowdstrike crypto cryptocurrency cryptography cryptostealer current cve cves cyber cyberattacks cyberespionage cybersecurity cyclops cymru damaging data day ddos defence defenders defense degradation deliver delivery denial deobfuscate/decode depth describe describes despite destined destructive detected detection detects developer development devices diavol digitally directorate directory dirty disable disclosure discouraged discovered discovery discuss discussed disinformation disk displays distribute distributed distributing domain domains download downloaded downloaders downloading easily eastern either email emails emotet emotet’s employed enables encoding encrypted end endpoint enforce ensure escalate escalation especially espionage europe european excel exceldna except excessive exclusively executes executing exist expanded expected exploit exploitable exploitation exploited exposed exposure express extremely facing failsafe fake fallback families fancy february figure file filename files finally finance financial financially firmware first flags flaw focused following forces foreign found foundation fp1 fraud from functionality functions funds furthermore gaining gamaredon game gather gcleaner germany ghostwriter glimpse global globally goals gold google google’s government grim group group’s groups grow gru hack hades harden harder harvests has have hermeticransom hermeticwiper hex high higher honeypot hospitality host however hunt hunting icedid identifiable identified identify identifying ignore immutable impact include including including: increase increased india indonesia industries industry infected infection influence information infrastructure ingress inhibit initial initialization initially ins inside install instances institutions intelligence interests internal internet intrusion invoice involve involved ioc iocs ips isaacwiper isps issued italy iter iteration its japan joint jssloader june kaspersky kazakh kernel known kyrgyz lab labs lacking laid landscape large late later latest launch launches layer layered leak leaked least left legitimate level levels leverages link links linux listing loader local locales: logistics logs lotus low lower lumen lumen’s lunar machines macros magazine main maintain major makes malicious malware manufacturers many march masquerading may measures mechanisms member messenger method methods mexico micollab microbackdoor microsoft mid military mimicking minis |
| Tags | Ransomware Malware Tool Vulnerability Threat |
| Stories | APT 28 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.