One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 6487319 |
| Date de publication | 2022-08-23 17:35:00 (vue: 2022-08-23 18:06:31) |
| Titre | Anomali Cyber Watch: Emissary Panda Adds New Operation Systems to Its Supply-Chain Attacks, Russia-Sponsored Seaborgium Spies on NATO Countries, TA558 Switches from Macros to Container Files, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Cyberespionage, DDoS, Russia, Spearphishing, Supply chain, Taiwan, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Reservations Requested: TA558 Targets Hospitality and Travel
(published: August 18, 2022)
Since 2018, financially-motivated threat group TA558 has targeted hospitality and travel with reservation-themed, business-relevant phishing emails. The group concentrates on targeting Latin America using lures written in Portuguese and Spanish, and sometimes uses English and wider targeting (North America, Western Europe). TA558 was seen leveraging at least 15 different malware payloads, most often AsyncRAT, Loda RAT, Revenge RAT, and Vjw0rm. In 2022, Proofpoint researchers detected that TA558 increased its activity and moved from using malicious macros to URLs and container files (ISO, RAR).
Analyst Comment: Microsoft’s preparations to disable macros by default in Office products caused multiple threat groups including TA558 to adopt new filetypes to deliver payloads. It is crucial for personnel working with invoices and other external attachments to use updated, secured systems and be trained on phishing threats. Anomali Match can be used to quickly search your infrastructure for known TA558 IOCs.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Ingress Tool Transfer - T1105
Tags: TA558, AsyncRAT, Loda, RAT, Vjw0rm, BluStealer, Revenge RAT, XtremeRAT, Hospitality, Travel, Phishing, ISO, RAR, PowerShell, CVE-2017-11882, CVE-2017-8570
Estonia Subjected to 'Extensive' Cyberattacks after Moving Soviet Monuments
(published: August 18, 2022)
On August 17, 2022, Russian hacktivist group KillNet launched distributed denial-of-service (DDoS) attacks targeting Estonia. The Estonian government confirmed receiving the “most extensive” DDoS attacks in 15 years, but stressed that all services are back online after just some minor interruptions. Small and medium-sized DDoS attacks targeted 16 state and private organizations in the country, with seven of them experiencing downtime as a result. Specifically, the Estonian Tax and Customs Board website was unavailable for about 70 minutes.
Analyst Comment: Russian cyber activity follows political tensions, this time coinciding with the removal of a Red Army memorial. Estonia seemingly easily fended off this Russian DDoS attack, but the country is one of the top in cyber preparedness, and Russia limited it’s strike to using hacktivist groups that give plausible deniability when attributing the cyber attack on a NATO country. Organizations that rely on stable work of their I |
| Envoyé | Oui |
| Condensat | “most 000 11882 2014 2017 2018 2020 2021 2022 8570 about access accounts achieved active activities activity actors addition additional additionally addresses adds adhere admin administration adopt affiliated after agents all allowed allowing also america ammyy analyst and/or android anomali anomalous anonymous any anydesk app applicable application applications apt apt27 are armageddon army asking asyncrat att&ck att&ck: attached attachments attack attacked attacker attacks attempt attributing august authentication authorities availability avoid aws back backdoor balancer basis bear because become been behavior behind being below: better between bitcoin block blocked blustealer board both botnet bronze browser business but callisto campaign campaigns can capture carefully case caused chain changed changes charts chat check china chinese cloud cobalt coinciding coldriver collective coming command comment: communication company compensates comprehensive compromise compromised compromises compromising concentrates confirmed consider constant container continually continued continuous controlled corporate cost countries country country:cn country:ee country:ph country:ru country:tw country:ua country:uk country:us craft created credentials cross crucial custom customer customs cve cyber cyberattacks cyberespionage data date ddos default defenders deliver deniability denial deobfuscate/decode depending desktop desktops detect detected detection devices different disable discovered discuss discussed disguise disrupting distributed documented documents dollars domain domains dominant down download downloaded downtime dubbed during easily educated effort either electron email emails emissary engineering engines english ensure especially estonia estonian europe evade evilcorp evilginx evolving example execute execution exfiltrate exfiltrates expanding experiencing extended extensive extensive” external factor fake fakeupdates fall february federal fended figure file files filetypes filtering financial financially firewall first focus following follows formed forms forwarding found framework free frequent from fsb gamaredon gamaredon’s gateway giddome give glimpse goal google government group groups hacktivism hacktivist hacktivists had has have help hides hire hospitality host hosted hostile hosting how http http/s https hyperbro identified impersonating implement included including increased indicators individuals infected infection infections information infrastructure ingress input inside installation installing integrity intelligence intensive internet interpreter interruptions introducing intrusion invasion investigation investigative invoices ioc iocs iron iso it’s iteration its january javascript july june just keep killnet kingdom kit known largest latest latin launched layer least legitimate leveraging like limited linked linux load loda logs loosely loss luckymouse lures mēris mac machine machines macos macros magazine mailboxes main maintains malicious malware malware: many massive match may means measures media medium memorial messaging messenger micro microsoft microsoft’s military million mimi minimize minor minutes mitigating mitigation mitre mongolia monitoring monuments more most motivated moved moving multi multiple name nato ndsw/ndsx network new news north not obfuscated obfuscation objective obscured observed off office often older once one onedrive ones ongoing online only open operation operations organization organizations origin originally originating other over owners pages panda partner party password payloads pdf peaked per periods permissions persistence personal personnel philippines phish phishing php pipelining place platform plausible policies political politically popular portuguese possibly potential potentially powershell practices preparations prepare preparedness prevent prevention previously primitive prior private products profiles prompt proofpoint properties protect protection protocol provide providers proxies proxy pterodo published: purchase |
| Tags | Threat Ransomware Malware Tool |
| Stories | APT 27 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.