One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 4573852 |
| Date de publication | 2022-05-10 17:08:00 (vue: 2022-05-10 18:05:59) |
| Titre | Anomali Cyber Watch: Moshen Dragon Abused Anti-Virus Software, Raspberry Robin Worm Jumps from USB, UNC3524 Uses Internet-of-Things to Steal Emails, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyberespionage, Phishing, Ransomware, Sideloading, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Attackers Are Attempting to Exploit Critical F5 BIG-IP RCE
(published: May 9, 2022)
CVE-2022-1388, a critical remote code execution vulnerability affecting F5 BIG-IP multi-purpose networking devices/modules, was made public on May 4, 2022. It is of high severity (CVSSv3 score is 9.8). By May 6, 2022, multiple researchers have developed proof-of concept (PoC) exploits for CVE-2022-1388. The first in-the-wild exploitation attempts were reported on May 8, 2022.
Analyst Comment: Update your vulnerable F5 BIG-IP versions 13.x and higher. BIG-IP 11.x and 12.x will not be fixed, but temporary mitigations available: block iControl REST access through the self IP address and through the management interface, modify the BIG-IP httpd configuration.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190
Tags: CVE-2022-1388, F5, Vulnerability, Remote code execution, Missing authentication
Mobile Subscription Trojans and Their Little Tricks
(published: May 6, 2022)
Kaspersky researchers analyzed five Android trojans that are secretly subscribing users to paid services. Jocker trojan operators add malicious code to legitimate apps and re-upload them to Google Store under different names. To avoid detection, malicious functionality won’t start until the trojan checks that it is available in the store. The malicious payload is split in up to four files. It can block or substitute anti-fraud scripts, and modify X-Requested-With header in an HTTP request. Another Android malware involved in subscription fraud, MobOk trojan, has additional functionality to bypass captcha. MobOk was seen in a malicious app in Google Store, but the most common infection vector is being spread by other Trojans such as Triada.
Analyst Comment: Limit your apps to downloads from the official stores (Google Store for Android), avoid new apps with low number of downloads and bad reviews. Pay attention to the terms of use and payment. Avoid granting it too many permissions if those are not crucial to the app alleged function. Monitor your balance and subscription list.
MITRE ATT&CK: [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Data Manipulation - T1565
Tags: Android, Jocker, MobOk, Triada, Vesub, GriftHorse, Trojan, Subscription fraud, Subscription Trojan, Russia, target-country:RU, Middle East, Saudi Arabia, target-country:SA, Egypt, target-country:EG, Thailand, target-country:TH
Raspberry Robin Gets the Worm Early
(published: May 5, 2022)
Since September 2021, Red Canary researchers monitor Raspberry Robin, a new worm |
| Envoyé | Oui |
| Condensat | 'accs “exploit 1388 2007 2008 2013 2018 2019 2021 2022 365 abuse abused abuses abusing access accessed account accounts acquisitions activated active activity actor actors acts add additional additionally address addresses advanced advised affairs affecting after agency agent align all alleged allowing also always analyst analyzed android announced anomali anomalous another anti app application approach apps april apt apt28 apt29 apts arabia archive are area armed army around arrays arrested arsenal artifacts asia atlassian att&ck att&ck: attached attachment attachments attack attackers attacks attempt attempting attempts attention attributed authentication authenticity authority autostart available available: avoid awareness back backdoor backup bad balance balancers baltic based basic beacon bear beatdrop became been behavior behavioral being belarus believed below: best better between big binaries binary bitdefender block boasts boommic boot both botnet bsd business but bypass call called callisto camera campaigns can canary capabilities captcha capture case centos central changes channel charts check checks china china’s cli client cobalt code collected collection command commands comment: common communication company compiled complex component compromise compromised concept conduct conducts conference configuration configurations configure confirms conflict connections connectivity consisting continuity control controllers cookie country:by country:cn country:eg country:lt country:ru country:sa country:th country:ua cozy create credential credentials critical crucial crysys curious current custom customized cve cvssv3 cyber cyberespionage cybersecurity data database decrypt defenders defense delivering deobfuscate/decode departments deploy depth describe design designated detect detected detecting detection developed devices devices/modules different diplomatic diplomats directly directorate directory discontinued discovery discuss discussed displays disposal dll dllhost dlls dns docx does domain domains down download downloader downloads dragon dragon’s drive drives dropbear dropbox dropper dropping dumping dynamic early east eastern egress egypt either email emails embassy employees encrypted encryption encryptor end enforcement engineering ensure entities environment envyscout eots error especially espionage europe evade evaluated evasion example exchange exe execute execution executives exercises explode exploit exploitation exploits extensively external eye facebook facing factor fail failsafe fancy favour federal federation field figure file files final firebase first five fixed flow focus folder following forbid force forces foreign forge forum found four france fraud from fsb function functionality further furthermore gandcrab gang geopolitical george gets ghostwriter glimpse goes goldriver google government governments granting grifthorse group groups groups: gru gunters hackers had harden has have header heavily help hide high higher highly hijack hijacked hijacking holder host hours however http httpd hunt hygiene icontrol identified identify impacket impact important in” include includes including indicator indirect infection information ingress injection input insecurity installed installer instrumentation intelligence intended interaction interception interests interface internet interpreter investigate involved ioc iocs iot ips iso iteration its january job jocker journalists july jumps june kaspersky kerberos known lab large laterally law layer layered layering least legitimate letters levels liberation lifesize limit limitations limits line links list listing lithuania little lnk load loader loading local logistics logon logs low lsa made magazine mailboxes main making malicious malware malware: malwares management mandiant manipulation manufacturing many march mask masquerading may mcafee measures mechanisms media members mergers microsoft middle might military ministry missing mitigations mitre mixed mobile mobok modification modify monitor monitoring more moshe |
| Tags | Ransomware Malware Tool Vulnerability Threat |
| Stories | APT 29 APT 28 |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.