One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 5145972 |
| Date de publication | 2022-06-14 15:15:00 (vue: 2022-06-14 16:07:04) |
| Titre | Anomali Cyber Watch: Symbiote Linux Backdoor is Hard to Detect, Aoqin Dragon Comes through Fake Removable Devices, China-Sponsored Groups Proxy through Compromised Routers, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Hooking, Ransomware, Stealthiness, Vulnerabilities, and Web skimming. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat
(published: June 9, 2022)
Intezer and BlackBerry researchers described a new, previously unknown malware family dubbed Symbiote. It is a very stealthy Linux backdoor and credential stealer that has been targeting financial and other sectors in Brazil since November 2021. Symbiote is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD before any other SOs. It uses hardcoded lists to hide associated processes and files, and affects the way ldd displays lists of SOs to remove itself from it. Additionally, Symbiote uses three methods to hide its network traffic. For TCP, Symbiote hides traffic related to some high-numbered ports and/or certain IP addresses using two techniques: (1) hooking fopen and fopen64 and passing a scribbed file content for /proc/net/tcp that lists current TCP sockets, and (2) hooking extended Berkeley Packet Filter (eBPF) code to hide certain network traffic from packet capture tools. For UDP, Symbiote hooks two libpcap functions filtering out packets containing certain domains and fixing the packet count. All these evasion measures can lead to Symbiote being hidden during a live forensic investigation.
Analyst Comment: Defenders are advised to use network telemetry to detect anomalous DNS requests associated with Symbiote exfiltration attempts. Security solutions could be deployed as statically linked executables so they don’t expose themselves to this kind of compromise by calling for additional libraries.
MITRE ATT&CK: [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Hide Artifacts - T1564 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048 | [MITRE ATT&CK] Data Staged - T1074
Tags: Symbiote, target-region:Latin America, Brazil, target-country:BR, Financial, Linux, Berkeley Packet Filter, eBPF, LD_PRELOAD, Exfiltration over DNS, dnscat2
Alert (AA22-158A). People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices
(published: June 8, 2022)
Several US federal agencies issued a special Cybersecurity Advisory regarding China-sponsored activities concentrating on two aspects: compromise of unpatched network devices and threats to IT and telecom. Attackers compromise unpatched network devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, to serve as “hop points” to obfuscate their China-based IP addresses in preparation and during the next intrusion. Similarly, routers in IT and Telecom companies are targeted for initial access by China-sponsored groups, this time using open-source router specific software frameworks, RouterSploit and RouterScan.
Analyst Comment: When planning your company |
| Envoyé | Oui |
| Condensat | “hop /proc/net/tcp 0171 0r3/9 11510 13382 14847 15271 158a 1652 16920 19781 1r1 2013 2017 2018 2019 2020 2021 2022 22893 29583 30190 6862 7192 7193 7194 7195 8515 aa22 access account accounts activates activating active activities activity actors added addition additional additionally address addresses adds admin administrators advised advisory adware affects agencies alert all allow allowed allowing also alternative although america analysis analyst analyzed and/or anomali anomalous another anti antivirus any aoqin application applications apply april apt apts arbitrary archive are artifacts asia aspects: associated asyncrat att&ck att&ck: attached attachments attack attacker attackers attempts audio australia authentication auto autoconfiguration autoconfigurl automated automation autostart available avast avoided backdoor backup based became become been before being below: benign berkeley best beware bidirectional big binance black blackberry block boot both brazil browser browserassistant bug bughatch business bypass called calling cambodia campaign can capabilities capture card carefully case ccleaner certain change changer changing channels charts check china chinese cisco citrix clipboard cms code collaboration collected collection comes comment: communication companies company complex components comprehensive compromise compromised concealed concentrating configuration connect containing content context contexts continuity controlled core could count country:au country:br country:cn country:fr country:id country:in cracked create credential credentials credit crypto cryptocurrencies cryptocurrency cryptomarkets cuba current currentversion custom cve cyber cyberespionage cybersecurity data december deep defenders defense delete deliver delivering deployed depth described detect detected detection devices diagnostic different directly directory disable discovered discovery discuss discussed displayed displaying displays distributed dive: dns dnscat2 document documents domains don’t double downloader downloaders downloading downloads dragon draytek drive drop dropped dubbed during ebpf editor educate educated education either emails emerged employ employed employees encoding encrypted engaging engine enough ensure evasion event every evolution executables execute execution exfiltration exists expanding exploit exploitation exploiting exploits expose exposed extended extension external extortion facing fail fake fakecrack fakecrack: fallout family fbi feature features february federal figure file files filter filtering final financial first fixes fixing flow focus follina follow following fopen fopen64 forensic fortinet found frameworks france from functions furthermore gates gateway glimpse government grew group group’s groups hancitor handler hard hardcoded has have heyoka hidden hide hides high higher highest hijack hkcu hong hooking hooks host html huobi impact important impossible incidents including india indonesia infection information infostealer infostealers infrastructure ingress initial injection install intelligence internet intezer intrusion investigating investigation ioc iocs issued iteration its itself javascript june keep key kind kit known kong kpot labs late latest layer layering ldd lead leading least leave libpcap libraries library link linked linux lists live load loaded loader loading loads logon logs magazine magento makemoney malicious malvertising malware malwarebytes man management march may measures mechanisms media messenger method methods microsoft middle mikrotik mitigations mitre modified mongall more mostly movavi msdt multiple nas nearly netgear network new newly news next non not notice november numbered obfuscate obfuscated object observed office office/home official often okx one onloadstart open opened opening optimized organizations other out over owner/user pac packet packets passing password passwords payload payloads people’s perform persistent phishing place plan planning points” port ports positions potential powershell preload preparat |
| Tags | Ransomware Malware Tool Vulnerability Threat Guideline |
| Stories | CCleaner |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.