One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 5579532 |
| Date de publication | 2022-07-06 15:01:00 (vue: 2022-07-06 15:06:30) |
| Titre | Anomali Cyber Watch: Russian KillNet DDoSed Lithuania, Building Automation Systems Targeted to Install ShadowPad, China-Sponsored Group Jumps from Home Routers to Connected Machines, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, DDoS, Industrial Control Systems, Phishing, Russia, Toll fraud, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Toll Fraud Malware: How an Android Application Can Drain Your Wallet
(published: June 30, 2022)
Toll fraud malware (subcategory of billing fraud) subscribes users to premium services without their knowledge or consent. It is one of the most prevalent types of Android malware, accounting for 35% of installed harmful applications from the Google Play Store in the first quarter of 2022. Microsoft researchers describe evolution of the toll fraud malware techniques used to abuse the Wireless Application Protocol (WAP) billing. Toll malware can intercept one-time passwords (OTPs) over multiple protocols (HTTP, SMS, or USSD). It suppresses notifications and uses dynamic code loading to hide its malicious activities.
Analyst Comment: Mobile applications should only be downloaded from official trusted locations such as the Google Play Store. Users should be mindful when granting unusual, powerful permissions such as SMS permissions, notification listener access, or accessibility access. Replace older Android phones if they no longer receive updates.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204
Tags: Toll fraud, Android, Billing fraud, Wireless Application Protocol, WAP billing
ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks
(published: June 28, 2022)
Black Lotus Labs discovered a China-sponsored, years-long campaign that exploits small office/home office (SOHO) routers for initial access. When exploiting Ruckus JCG-Q20 routers in Hong Kong, the attackers leveraged CVE-2020-26878 and CVE-2020-26879 vulnerabilities. Other exploits are yet to be uncovered with the most targeted devices being from ASUS, Cisco, DrayTek and NETGEAR mostly in Canada, the UK, and the US. The attackers were installing a heavily modified version of Mirai botnet dubbed ZuoRAT. ZuoRAT collects information on target networks, collects traffic (credentials passed in the clear, browsing activity) and hijacks network communication. Then the attackers move laterally targeting Windows and other machines on the same network and installing one of the three agents: Cobalt Strike, CBeacon, or GoBeacon.
Analyst Comment: SOHO router users should regularly reboot routers and install security updates. Businesses should ensure robust detection on network-based communications.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Component Object Model Hijacking - T1122 |
| Envoyé | Oui |
| Condensat | $1350 ‘log ‘pygrata /service/v1/createuser 2020 2021 2022 26412 26854 26855 26857 26858 26878 26879 27065 27078 2fa/otp 3256 3475 500gb abuse abusing access accessibility account accounting activities activity actors addition additional address adobe afd affect affected affiliated afghanistan after against agents: amazon analysis analyst analysts android anomali anonymous antivirus api app application applications approach apt arbitrary archive are artifacts asus att&ck att&ck: attached attack attacked attacker attackers attacks authenticated authorization automated automation availability available aws azure backdoor bank banking base based bat because being below: between billing bits black botnet botnets browsing building built business businesses bypass campaign campaigns can canada capacity capture cardona case caught cbeacon cdn chain channel charts check china cisco cleafy clear cloud cobalt cobaltstrike code collected collection collects com coming command commands comment: communication communications companies company complement component compromise computers conflict connected connectivity consent consider content continually continuity control controlled corporations cost could countries country’s country:af country:ca country:cn country:es country:jp country:lt country:my country:pk country:ru country:uk country:us credential credentials critical customers cve cyber cybercriminals data ddos ddosed defense delivery denial deobfuscate/decode depending depth describe descriptions despite detected detection determine developers devices directory disclosed discovered discovery discuss discussed dll docusign domain door down download downloaded drain draytek dubbed dynamic east educate email enable encoding endpoint engineering ensure entities especially established evolution evolving exchange executed execution exfiltration exploit exploiting exploits extended facing fake feature fernandez figure file files finance firewalls first flashpoint flow following foothold found fraud from front furthermore getting glimpse gobeacon good goods google government granting group groups hacker hacktivist had hafnium happy hardcoded harmful has have header heavily hide hijack hijacking hijacks hire history hits home hong how http ics identified imagery implementing important included including increase increased industrial information infrastructure ingress initial injecting injection input inspectorate install installed installing instrumentation intelligence interact intercept interpreter ioc iocs iteration its japan jcg jobs jumps june kaspersky keylogging keys killnet kingdom knowledge kong labs large largest laterally layer legitimacy leveraged lib licensed limited limiting linux listener lithuania lithuania’s lithuanian loading local locations logistics logo logs long longer loss lotus low machines macos magazine main major malaysia malicious malware malware: management manufacturing many march measures messages microsoft middle military mindful mirai mitigation mitre mobile model modification modified modules month more most mostly move multiple named needed netgear network networks new news nextnet not notification notifications numbers object observed office office/home office365 official older oleview one online only open organizations originally other otps over package packages pages pakistan passed passwords patch per perform periods permissions phishing phones place plan play plugx possess possibly potential potentially powerful premium prepared prevalent pro projects propagation protocol protocols provide provided providers proxy public published: purchase pygrata pypi python q20 quarter query ratings ratio reboot receive recognition recognize regarding region:hk region:middle registry regularly related release remote rented replace reported repository researchers resecurity response revenue revive revive: robust root router routers ruckus russia russian same samples scanning scheduled scripting second security sendgrid sending sensitive server service services several severe shado |
| Tags | Malware Tool Vulnerability Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.