One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 5953922 |
| Date de publication | 2022-07-26 17:10:00 (vue: 2022-07-26 18:06:18) |
| Titre | Anomali Cyber Watch: Cozy Bear Abuses Google Drive API, Complex Lightning Framework Targets Linux, Google Ads Hide Fraudulent Redirects, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Bots, China, Linux, Malspam, Mobil, Russia, and Spearhishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware
(published: July 21, 2022)
Intezer researchers discovered a new Linux malware called Lightning Framework (Lightning). It is a modular framework able to install multiple types of rootkits and to run various plugins. Lightning has passive and active capabilities for communication with the threat actor, including opening up SSH service via an OpenSSH daemon, and a polymorphic command and control (C2) configuration. Lightning is a newly discovered threat, and there is no information about its use in the wild and the actors behind it.
Analyst Comment: Defenders should block known Lightning indicators. Monitor for file creation based on the Lightning naming convention.
MITRE ATT&CK: [MITRE ATT&CK] Logon Scripts - T1037 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Hide Artifacts - T1564 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Network Service Scanning - T1046 | [MITRE ATT&CK] Network Sniffing - T1040 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041
Tags: Lightning Framework, Linux, Lightning.Downloader, Lightning.Core, Typosquatting, Masquerading, Timestomping, Port:33229
Google Ads Lead to Major Malvertising Campaign
(published: July 20, 2022)
Malwarebytes researchers discovered a malvertising campaign abusing Google Search advertisements for popular keywords such as “amazon,” “fac |
| Notes | |
| Envoyé | Oui |
| Condensat | “amazon “facebook “swiss “walmart “youtube 000 005 037 120 2008 2013 2014 2017 2020 2021 2022 30858 30860 450 8220 911 ability able about abuses abusing academics access account accounts acknowledged active actively activists activity actor actors added additional additionally addressed addresses administrative ads advanced advertised advertisements affairs after against ago allegedly also altogether always analyst analyzed android anomali anti apache api apple application approach apps april apt apt29 arbitrary archive are army around arsenal artifacts associated att&ck att&ck: attached attachments attack attacking attacks attributed audio auto avoid aware back backdoor based basic beacon bear been behind being believed below: best between big block blocklist boasts both botnet bots brands brazil browlock browser brute but cache called campaign campaigns can capabilities capture captures catalina caution certain change channel charts check china chinese citizenlab click clicking client cloaked cloaking cloud cloudmensis cobalt code collected collection command commands comment: communicate communication companies company complex compromised concentrating conducts configuration confluence connections consider containing content control controls convention core country:cn country:fr country:ru country:th country:us cozy cpu crafted crawlers creation credentials criminal critical cryptomining crysys custom cve cyber cybercriminals cyberespionage daemon data date dealing deep default defenders defenses democracy deobfuscate/decode depending deployed deployment describe designed destination developed devices did diplomatic direct directory disables discovered discovery discuss discussed disk displays disposal dive dns docker documents domain down downloaded downloader drive dropbox drupal early egypt either email employ enables encoding encrypted end enterprises entities entry envyscout eset espionage evasion execute execution exfiltrate exfiltrating exfiltration expands exploit exploitation exploited expose exposed facing fake features federation figure figures file filed files final financial first fixed flint flow following forced forcedentry forcing foreign found framework framework: france fraudulent free from fullscreen further gang gather gathering geckospy geckospy: generic geopolitical get glimpse gold google government group groups hackers had hadoop hardcoded has have heavily hide hijack hijacking history honeypot host hosts however html icloud identified identifying iframe image impair improved inauthentic include includes including increase increased indicator indicators individuals infected infection information infrastructure ingress input install integer intelligence intentions internet intezer involve ioc iocs ios ipados iphone ips irc iso issue iteration its japan jira july june kaspersky keeping key keystrokes keywords kinds knife” known korea lab lan late lawsuit lawyers layer layered lead leading leads least legitimate lightning like limited limiting links linux list listed llc lnk local lockdown locked/hardened locker logon logs look mac machines macos made magazine main maintenance major majority makes making malicious maliciously malspam malvertising malvertizing malware malwarebytes malwares management manipulation mantis masquerading massively maximally may means media memory messages mid mine miner minimizing mining missions mitigation mitre mobil mobile mode modular monero monitor moqhao more moreover mostly motivation movement multi multiple named naming nations nato network networks never new newly news ngo nobelium node nodes non not notified november nso obfuscated objective observed october offered offerings often once one ongoing online opening openssh operating operations opportunity opposition organizations other over overall overflow page paid part passive passwords patch patches pay payload pcloud pcs pdf pegasus per persistent phishing phone playing plethora plugins points poison political polymorphic popular port:33229 portugal positions poss |
| Tags | Malware Tool Threat Guideline |
| Stories | APT 29 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.