One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 5309464 |
| Date de publication | 2022-06-21 15:03:00 (vue: 2022-06-21 15:10:10) |
| Titre | Anomali Cyber Watch: GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool, DragonForce Malaysia OpsPatuk / OpsIndia and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT35, CrescentImp, Follina, Gallium, Phosphorous, and Sandworm. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Update: The Phish Goes On - 5 Million Stolen Credentials and Counting
(published: June 16, 2022)
PIXM researchers describe an ongoing, large-scale Facebook phishing campaign. Its primary targets are Facebook Messenger mobile users and an estimated five million users lost their login credentials. The campaign evades Facebook anti-phishing protection by redirecting to a new page at a legitimate service such as amaze.co, famous.co, funnel-preview.com, or glitch.me. In June 2022, the campaign also employed the tactic of displaying legitimate shopping cart content at the final page for about two seconds before displaying the phishing content. The campaign is attributed to Colombian actor BenderCrack (Hackerasueldo) who monetizes displaying affiliate ads.
Analyst Comment: Users should check what domain is asking for login credentials before providing those. Organizations can consider monitoring their employees using Facebook as a Single Sign-On (SSO) Provider.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204
Tags: Facebook, Phishing, Facebook Messenger, Social networks, Mobile, Android, iOS, Redirect, Colombia, source-country:CO, BenderCrack, Hackerasueldo
F5 Labs Investigates MaliBot
(published: June 15, 2022)
F5 Labs researchers describe a novel Android trojan, dubbed MaliBot. Based on re-written SOVA malware code, MaliBot is maintaining its Background Service by setting itself as a launcher. Its code has some unused evasion portions for emulation environment detection and setting the malware as a hidden app. MaliBot spreads via smishing, takes control of the device and monetizes using overlays for certain Italian and Spanish banks, stealing cryptocurrency, and sometimes sending Premium SMS to paid services.
Analyst Comment: Users should be wary of following links in unexpected SMS messages. Try to avoid downloading apps from third-party websites. Be cautious with enabling accessibility options.
MITRE ATT&CK: [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] User Execution - T1204
Tags: MaliBot, Android, MFA bypass, SMS theft, Premium SMS, Smishing, Binance, Trust wallet, VNC, SOVA, Sality, Cryptocurrency, Financial, Italy, target-country:IT, Spain, target-country:ES
Extortion Gang Ransoms Shoprite, Largest Supermarket Chain in Africa
(published: June 15, 2022)
On June 10, 2022, the African largest supermarket chain operating in twelve countries, Shoprite Holdings, announced a possible cybersecurity incident. The company notified customers in E |
| Envoyé | Oui |
| Condensat | #opsindia #opspatuk /proc/syslogk 000 0113 200 2007 2022 26134 30190 356 500 600gb able about abusing access accessibility account accounts achieve across active activity actor additional additionally address admin administrators adore ads affects affiliate affiliated afghanistan africa african after against all allegedly allow allowed also alternative amaze among analysis analyst analysts android announced anomali anonymous anti app application apps apt apt35 arbitrary are artifacts asia asked asking atlassian att&ck att&ck: attached attachment attack attacker attackers attacking attacks attempts attention attributed australia authentication authenticity autostart avast average avoid backdoor background banks based became because been before behind being belgium believed below: bendercrack binance bitly block boot botnet briefing but bypass call called calling cambodia campaign campaigns can capabilities cart cases caution cautious cell center cert certain certificate chain chains change channel charming charts check checking checkpoint china claiming clicking clients close cloud cloudflare code collection colombia colombian com command commands comment: commonly companies company compared component comprehensive computational computer conduct configuration confluence connection consider containing content context continues control controlled conversation cooperating cost costs could counting countries country:cn country:co country:es country:il country:in country:ir country:it country:my country:na country:ru country:sz country:ua country:us country:zm create credentials crescentimp critical crypters cryptocurrency csp cumulative current customer customer’s customers cve cyber cybersecurity data day days ddos ddostool deface defacement defenders delete denial depending deploy describe despite detected detection development device diagnostic directories disclosed discovered discovery discuss discussed displaying documents docx does domain download downloading dozen dragonforce drive driving dubbed earlier educate email emails emergency employed employees emulation enabling encoding encrypted end engaged environment establishing estimated eswatini europe evades evasion eventually executable: execute executing execution exfiltration exists expands exploit exploited exploiting exploits extortion extra facebook facing factor famous figure file files filled final finance financial five follina following force form former forum found from functionality funnel gallium gang glimpse glitch goes google government grep group groups hackerasueldo hacktivism hacktivist hammer handling harder has have having heavily hidden hide hiding high higher holdings html http https hunting: icmp identity impersonated implementing incident included including india indian individuals information infrastructure ingress inspection install intelligence intended internet investigates ioc iocs ios iran iranian israel israeli italian italy iteration its itself javascript june just keep kernel kernels kitten knocking labs large largest launcher layer leads leak least legitimate leverage likely link links linux listening litby loaded loading login logon logs lost lsmod machine machines made magazine magic maintaining make malaysia malibot malicious malware management many masquerading mass may means media memory messages messenger mfa microsoft mid million mitigate mitigates mitre mobile modify module modules monetizes monitoring more mostly motivated movement mozambique msdt multiple namecheap namibia network networks new newest news node non not notified novel obfuscation observed officials offline once one onedrive ongoing onion only open opening operating operation opposed opsindia opspatuk options organisations organization organizations originated other over overlays packet packets page pages paid party password past pay peaking per personal philippines phish phishing phosphorous pingpull pixm plugins port portions possible posted potential powerful premium present preview primary privileges process programs properties protect protect |
| Tags | Ransomware Malware Tool Vulnerability Threat Guideline Conference |
| Stories | Yahoo APT 35 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.