One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 4477972 |
| Date de publication | 2022-04-19 15:00:00 (vue: 2022-04-19 15:07:43) |
| Titre | Anomali Cyber Watch: RaidForums Seized, Sandworm Attacks Ukrainian Power Stations, North Korea Steals Chemical Secrets, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, North Korea, Spearphishing, Russia, Ukraine, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Lazarus Targets Chemical Sector
(published: April 14, 2022)
In January 2022, Symantec researchers discovered a new wave of Operation Dream Job. This operation, attributed to the North Korea-sponsored group Lazarus, utilizes fake job offers via professional social media and email communications. With the new wave of attacks, Operation Dream Job switched from targeting the defense, government, and engineering sectors to targeting South Korean organizations operating within the chemical sector. A targeted user executes an HTM file sent via a link. The HTM file is copied to a DLL file to be injected into the legitimate system management software. It downloads and executes the final backdoor: a trojanized version of the Tukaani project LZMA Utils library (XZ Utils) with a malicious export added (AppMgmt). After the initial access, the attackers gain persistence via scheduled tasks, move laterally, and collect credentials and sensitive information.
Analyst Comment: Organizations should train their users to recognize social engineering attacks including those posing as “dream job” proposals. Organizations facing cyberespionage threats should implement a defense-in-depth approach: layering of security mechanisms, redundancy, fail-safe defense processes.
MITRE ATT&CK: [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Credentials from Password Stores - T1555
Tags: Lazarus, Operation Dream Job, North Korea, source-country:KP, South Korea, target-country:KR, APT, HTM, CPL, Chemical sector, Espionage, Supply chain, IT sector
Old Gremlins, New Methods
(published: April 14, 2022)
Group-IB researchers have released their analysis of threat actor OldGremlin’s new March 2022 campaign. OldGremlin favored phishing as an initial infection vector, crafting intricate phishing emails that target Russian industries. The threat actors utilized the current war between Russia and Ukraine to add a sense of legitimacy to their emails, with claims that users needed to click a link to register for a new credit card, as current ones would be rendered useless by incoming sanctions. The link leads users to a malicious Microsoft Office document stored within Dropbox. When macros are enabled, the threat actor’s new, custom backdoor, TinyFluff, a new version of their old TinyNode |
| Envoyé | Oui |
| Condensat | “bureau “dream “electronic “lazarus “setdrivestohealthy /query 000 10th 121 121국 121” 16:10:00 2009 2014 2021 2022 24527 24527: 31st 365 500 5555 8th able about access accessing account accounts achievement across actions active activities activity actor actor’s actors actuality add added addition additional additionally administrator administrators advanced affect affected after afterwards against againstthewest aimed all allegedly allowing allows also alternative always amazon among analysis analyst android anomali anomalous anti any appearing application apply appmgmt approach approach: april apt arbitrary are arrested artifacts ask aspack assets assist associated assures att&ck att&ck: attached attachments attack attackers attacks attempt attempting attributable attributed authenticate authentication available backdoor backdoor: backend backup banking based bashlite been before began begin being belarus believed below: best between binary blackenergy blog bluehornet both botnet branch breached bridge browser browsers bureau bureau” bureau’s but buy cache caching caddywiper campaign campaigns can card carefully cause cert chain changing channel characters charts check chemical china chrome claiming claims click clicking client close closely cobalt code collect com combinations comes command comment: common communicate communication communications community composed compromised compromising conducted configuration configure connected connection containing contains context continues contractors control cookie cookies copied country:by country:kp country:kr country:ru covenant cpl cracked crafting create created creating credential credential/password credentials credit criminal critical cryptography cryptomining current currently custom customer cve cyber cybercrime cyberespionage cypher daemon damage darkweb data database databases day ddos debug deception dedicated defense defensive delete deleting delivers democratic denial denotes deployed depth descriptor designed destroy destruction destruction/disk detailed detailing details detect device devices dga different diogo directory disabling discovered discuss discussed disease disguises distributed distributing division dll dns document documents domain domains down download downloader downloads downtime dprk dream dropbox due dynamic each ebay edge education effort elevation email emails embedded emotet emotet’s enable enabled encoding encrypted endpoint enemybot enemybot: enforced enforcement engage engineering ensures ensuring entertainment entities entity enumerate environment environments escalation eset espionage estimated europol evasion events ever every exact examine exception execute executed executes executing execution exfiltrates exfiltrating exfiltration exists exploit exploitation exploiting exploits export expose exposures external facebook facing fail fake false fast favored feature february ffdroider figure file final financial firefox firms first fixed flow following forces forcing formed fortiguard forum forum; forums found founder four frameworks freeware from function functionality furthermore gafgyt gain gained general glimpse global gootkit government governmental gps grant gremlins group group” guidance hacking had hafnium handling hardcoded harvest has have having head heavily helped hide higher highly hijack however htm hydro hyperlinks icedid ics identified identify illegitimate impact implement implementation important including incoming incorporate increases indicate industries industroyer industroyer2 industroyer2: industry infect infection infectious information infrastructure initial initially injected injection input inspect install installation installed institutions instrumentation intelligence interacting internet interpreter intricate invest investigation ioc iocs iteration its itself jamming january job job” joint july june kaspersky keksec keksec’s keys known korea korea’s korean late laterally latest launch law layering lazarus ld |
| Tags | Ransomware Spam Malware Vulnerability Threat Guideline Medical |
| Stories | APT 38 APT 28 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.