One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 6869959 |
| Date de publication | 2022-09-13 15:00:00 (vue: 2022-09-13 15:06:36) |
| Titre | Anomali Cyber Watch: Iran-Albanian Cyber Conflict, Ransomware Adopts Intermittent Encryption, DLL Side-Loading Provides Variety to PlugX Infections, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Cyberespionage, Defense evasion, DDoS, Iran, Ransomware, PlugX, and Spearphishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Microsoft Investigates Iranian Attacks Against the Albanian Government
(published: September 8, 2022)
Microsoft researchers discovered that groups working under Iran’s Ministry of Intelligence and Security (MOIS, tracked as OilRig) attacked the government of Albania. The attackers started with initial intrusion in May 2021, proceeded with mailbox exfiltrations between October 2021 and January 2022, organized controlled leaks, and culminated on July 15, 2022, with disruptive ransomware and wiper attacks. This attack is probably a response to the June 2021 Predatory Sparrow’s anti-Iranian cyber operations promoting the Mujahedin-e Khalq (MEK), an Iranian dissident group largely based in Albania.
Analyst Comment: MOIS attack on Albania uses messaging and targeting similar to the previous MEK-associated attack on Iran. It tells us that Iran has chosen to engage in a form of direct and proportional retaliation as it sees it. Still, the attack and its attribution caused Albania to cut diplomatic ties with Iran and expel the country's embassy staff. Organizations should implement multifactor authentication (MFA) for mailbox access and remote connectivity. Anomali platform users advised to block known OilRig network indicators.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Indicator Removal on Host - T1070
Tags: OilRig, Helix Kitten, APT34, MOIS, Ministry of Intelligence and Security, Predatory Sparrow, Wiper, CVE-2021-26855, CVE-2019-0604, CVE-2022-28799, Government, Albania, target-country:AL, Iran, source-country:IR, DEV-0842, DEV-0861, DEV-0166, DEV-0133, Europium, APT, detection:Jason, detection:Mellona
BRONZE PRESIDENT Targets Government Officials
(published: September 8, 2022)
Secureworks researchers detected a new campaign by China-sponsored group Mustang Panda (Bronze President). In June and July 2022, the group used spearphishing to deliver the PlugX malware to government officials in Europe, the Middle East, and South America. To bypass mail-scanning antiviruses, the archived email attachment had malware embedded eight levels deep in a sequence of hidden folders named with special characters.
Analyst Comment: Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macros. It is important to teach your users basic online hygiene and phishing awareness.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | |
| Envoyé | Oui |
| Condensat | #stopransomware: 0133 0166 0604 0842 0861 1675 2008 2012 2015 2018 2019 2020 2021 2022 2051 249a 26258 26855 28799 28958 34527 6530 aa22 ability abused: access account accounts across active activity actor:bronze actors additional additionally adopts advanced advised africa against agency agenda albania albanian alert allowed allowing allows already also alternates alto america amsi analyst analyzed anomali anti antiviruses api application applications apply approaches apt apt27 apt34 apts archived are artifacts assets associated asyncrat att&ck att&ck: attached attachment attachments attack attacked attackers attacks attempt attempts attribution authentication autostart available avoid awareness backdoor backup backups banking based basic basta beacons because been belonging below: between black blackcat block boot botnet breach bronze business bypass cameroon campaign can capabilities capture caused certain chain chains changes channel characters charts check china chosen click close coast cobalt code colleges combinations command comment: commodity concept conflict confused connections connectivity containing content continuity controlled copies country country:al country:ci country:cm country:cn country:ir country:ma country:sn country:tg create crucial crypters culminated cut cve cyber cybereason cyberespionage cybersecurity dangeroussavanna dangeroussavanna’s dangeroussavanna: data ddos deep defense defenses deliver denial deobfuscate/decode deployed deployment depth describe described despite detected detecting detection detection:agenda detection:blackbasta detection:blackcat detection:jason detection:mellona detection:play detection:qyick dev developer developers devices different diplomatic direct directory discovered discovery discuss discussed disk disruptive dissident distributed dll does double downloading dubbed dwservice easier east eight email embassy embedded emissary empire employee employing employs enable encrypted encrypting encryption encryption: encrypts end engage engineering escalate escalation especially europe europium evade evasion even event evolution evolving executable execute executing execution exfiltration exfiltrations expel exploit exploitation exploiting extension extortion facing family faster figure file files finance financial flow folders follow following form found four framework french from functionality fundamental geopolitics glimpse good government grabbing group group:mustang groups had handlers has have having heavy helix hellokitty helps hidden hide high hijack host hygiene i/o identification impact impair implement implementations important includes including indicator indicators industry:government infection infections infiltration information infrastructure ingress initial injection input inside institutions instrumentation intelligence intensity intermittent internet interpreter intrusion intrusions investigates ioc iocs iran iran’s iranian iso issued iteration its ivory january july june keep keylogger keystroke khalq kitten known largely laterally launch layer leads leaks legitimate levels likely link linux loader loading location logon logs long loss lot lures macros magazine mail mailbox main maintained maintaining major makes maldocs malicious malware manageable management many masquerading may measures mek messaging metasploit meterpreter methods mfa microsoft middle military mind ministry mirai mitre modify modular mois moobot more morocco most mouse move mujahedin multifactor multiple mustang naics name named native network networks new news non number obfuscated obfuscation objective observed october offerings: officials often oilrig old once one online open operations operators: organization organizations organized otherwise palo panda partial patch patches payloads penetration pentesting persistent phishing place plan plans platform play plugx point policies portion poshc2 possible post posture potential powershell predatory preferred president previous printnightmare privilege privileges probably proceeded process processes profile proj |
| Tags | Ransomware Malware Tool Vulnerability Threat Guideline |
| Stories | APT 27 APT 34 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.