One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 7161515 |
| Date de publication | 2022-09-27 16:51:00 (vue: 2022-09-27 17:06:40) |
| Titre | Anomali Cyber Watch: Sandworm Uses HTML Smuggling and Commodity RATs, BlackCat Ransomware Adds New Features, Domain Shadowing Is Rarely Detected, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Fraud, Inbound connectors, Phishing, Ransomware, Russia, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
A Multimillion Dollar Global Online Credit Card Scam Uncovered
(published: September 23, 2022)
ReasonLabs researchers discovered a large network of fake dating and customer support websites involved in credit card fraud operations. The threat actor builds a basic website, registers it with a payment processor (RocketGate), buys credit card data from other threat actors, and subscribes victims to monthly charging plans. The US was the most targeted, and a lower number of sites were targeting France. To pass the processor checks and lower the number of charge-backs the actor avoided test charges, used a generic billing name, charged only a small, typical for the industry payment, and hired a legitimate support center provider, providing effortless canceling and returning of the payment.
Analyst Comment: Users are advised to regularly check their bank statements and dispute fraudulent charges. Researchers can identify a fraudulent website by overwhelming dominance of direct-traffic visitors from a single country, small network of fake profiles, and physical address typed on a picture to avoid indexing.
Tags: Credit card, Fraud, Scam, Chargeback, Payment processor, Fake dating site, USA, target-country:US, France, target-country:FR, target-sector:Finance NAICS 52
Malicious OAuth Applications Used to Compromise Email Servers and Spread Spam
(published: September 22, 2022)
Microsoft researchers described a relatively stealthy abuse of a compromised Exchange server used to send fraud spam emails. After using valid credentials to get access, the actor deployed a malicious OAuth application, gave it admin privileges and used it to change Exchange settings. The first modification created a new inbound connector allowing mails from certain actor IPs to flow through the victim’s Exchange server and look like they originated from the compromised Exchange domain. Second, 12 new transport rules were set to delete certain anti-spam email headers.
Analyst Comment: If you manage an Exchange server, strengthen account credentials and enable multifactor authentication. Investigate if receiving alerts regarding suspicious email sending and removal of antispam header.
MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Indicator Removal on Host - T1070
Tags: Exchange, Microsoft, PowerShell, Inbound connector, Transport rule, Fraud, Spam
NFT Malware Gets New Evasion Abilities
(published: September 22, 2022)
Morphisec researchers describe a campaign targeting non-fungible token (NFT) communities since November 2020. A malicious link is being sent via Discord or other forum private phishing message related to an NFT or financial opportunity. If the user |
| Envoyé | Oui |
| Condensat | “cold 001 0113 197 200 2015 2020 2022 517 523160 649 abilities abuse abused access account accounts activity actor actor:blackcat actors added additional additionally address addresses adds admin advised affiliated after alerts all allowing alphv also alto always analyst analyzed android anomali anomali’s anti antispam antivirus any application applications april apt are artifacts ask assist asyncrat att&ck att&ck: attached attachments attempts attention audio audits august australia authentication autostart available avoid avoided babadeda backs backup backups baits bank basic because been behalf behind being benign between billing bitrat blackcat blackmatter block blockchain blog boot build builds business buys bypass campaign can canceling capabilities capability capture card carefully case center certain change channels charge chargeback charged charges charging charts check checks china chinese clicks colibri coming command comment: commodity communities community company compromise compromised connector connectors consider consistently contain continues continuity control controlled could country country:au country:cn country:fr country:ru country:ua country:us create created creation credentials credit crypter cryptocurrency custom customer customers cyber cybercrime cyberesionage darkcrystal darkside data database dating dead debian decryption delete deliver delivering deployed describe described destructing detected detection:alphv detection:asyncrat detection:babadeda detection:bitrat detection:blackcat detection:colibri detection:darkcrystal detection:eternity detection:exmatter detection:gmer detection:infostealer detection:mobileorder detection:nft detection:noberus detection:remcos detection:warzone detections developments devices different digital direct discord discovered discuss discussed dispute dll dns dollar domain domains dominance double downloader drop dubbed due dynamic eamfo ease easier effortless either email emails emulating enable encoded encrypted endpoint engineering entities erasing eternity evasion evolve exchange execution exfiltration existing exmatter exsi fake features figure file files final financial find first flow followed following foreign forms forum forums france fraud fraudulent from ftp functionality funds fungible further future gave generic get gets glimpse global gmer google group group:sandworm group:scarlet gru had has header headers heavily hide hides hijack hijacking hired host hosted html identify impact implement important inbound indexing indicator indicators industries industry industry:cryptocurrency industry:telecommunications infected infection information infostealer infrastructure ingress injection input installation installed: installing intelligence interpreter investigate involved ioc iocs ips iso isolation iteration its june key known large laundering layer legitimate level like likely link links linux listing lived loader location logon logs look lower magazine mails maintain maldocs malicious malware malware: manage march masquerading matching message messages microsoft military mimic mimic’s mitigated mitre mobile mobileorder modification monthly more morphisec most multifactor multimillion muslim naics name names need net network new newest news nexus nft noberus non normal not november number oauth obfuscated observed obtain official often one online only opened operating operations opportunity original originated other outside overwhelming owners palo particularly party pass password patches pattern pay payload payloads payment pdf performing permissions phishing photo physical picture plan plans platform play point pointing policies posts potential powershell premium preventing previously prior private privileges process processed processor profiles protection protocol provide provider providers providing published: querying range ransomware ransomware: rarely rat rats readynas real reasonlabs received receiving record recorded regarding registers regular regularly related relatively remcos removal report researchers resolut |
| Tags | Ransomware Spam Malware Tool Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.