One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 7541845 |
| Date de publication | 2022-10-18 15:00:00 (vue: 2022-10-18 15:06:49) |
| Titre | Anomali Cyber Watch: Ransom Cartel Uses DPAPI Dumping, Unknown China-Sponsored Group Targeted Telecommunications, Alchimist C2 Framework Targets Multiple Operating Systems, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, Hacktivism, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Ransom Cartel Ransomware: A Possible Connection With REvil
(published: October 14, 2022)
Palo Alto Networks researchers analyzed Ransom Cartel, a double extortion ransomware-as-a-service group. Ransom Cartel came to existence in mid-December 2021 after the REvil group shut down. The Ransom Cartel group uses the Ransom Cartel ransomware, which shares significant code similarities with REvil, indicating close connections, but lacks REvil obfuscation engine capabilities. Ransom Cartel has almost no obfuscation outside of the configuration: unlike REvil it does not use string encryption and API hashing. Among multiple tools utilized by Ransom Cartel, the DonPAPI credential dumper is unique for this group. It performs Windows Data Protection API (DPAPI) dumping by targeting DPAPI-protected credentials such as credentials saved in web browsers, RDP passwords, and Wi-Fi keys.
Analyst Comment: Network defenders should consider monitoring or blocking high-risk connections such as TOR traffic that is often abused by Ransom Cartel and its affiliates. It is crucial that your company ensure that servers are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely.
MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Software Deployment Tools - T1072 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Boot or Logon Autostart Execution - T1547 | [MITRE ATT&CK] BITS Jobs - T1197 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068 | [MITRE ATT&CK] File and Directory Permissions Modification - T1222 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Indicator Removal on Host - |
| Envoyé | Oui |
| Condensat | “hands 000 2014 2019 2021 2022 3390 4034 44228 44228б 45105 4581 517 abuse abused access account accounts actions activated active activities activity actor actor:apt27 actor:budworm actor:emissary actor:killnet actor:ransom actor:revil actor:wip19 actors adding additional administrative adopts advertising advised affect affected affiliated affiliates after ago airport airports alchimist alchimist: all allows almost alternate alto always among analyst analyzed and/or android angeles anomali anonymous antivirus apache api app application applications: apps apt apt27 archive are arizona asia associated atl atlanta att&ck att&ck: attached attack attacked attackers attacks authentication author authored autostart available avoided backdoor based baseline basis because been before below below: binary bind bitcoin bits block blocking boot both brought browsers budworm budworm: build business businesses but bypass bypasses came can capabilities capture carries cartel case certificate channel charts check chicago china chinese choose cities client close cobalt code collected collective colorado comes command comment: commodity communication: companies company completed compromised conduct configuration: configurations configure connection connections consider containing contains continuity control cost countries country country:cn country:ru country:us create created credential credentials crucial cryptographic current custom customers cve cyber cyberark cyberespionage data day ddos december decrypts deepsoft defenders defense defenses denial deployment depth described detect detected detection detection:alchimist detection:frp detection:fscan detection:insekt detection:iox detection:lazagne detection:magniber detection:screencap detection:sqlmaggie detection:triada developer device directory discovered discovery discuss discussed distributed distributing dll does dollars donpapi dotnettojscript double down download dpapi drone dropper dubbed dumper dumping during east eastern easy effective eight either electronics elevation emails emissary encrypted encryption end endpoints engine engineering ensure entities escalation espionage establish esxi europe evasion everyday executable execution exercises exfiltration existence exploit exploitation exploiting extended external extortion facing fake fashion fast february figure file files florida flow focused focuses following force formed forwarding found framework frameworks from frp fscan fully glimpse golang government group group:threat groups hackers hacktivism hacktivist hacktivists had happy hare hartsfield has hashing have having hawaii heavily help high hijack hire home host hostile hyperbro impact impair implants implement include include: including indicating indication indicator indicators industry:airports infected information infrastructure ingress inhibit injection input insekt install installed installing instead intelligence interactive interface internal international interpreter intranet introduction involves ioc iocs iox iteration its jackson javascript jobs july kaspersky keep kentucky keyboard” keys killnet killnet’s kinetic known korean lacks largely later launches lax layering lazagne legislature legitimate libraries like likely limiting linux listed loading log4j logon logs loosely los lose loss mac mach machines macos macosx magazine magniber main major malicious malware manipulation manufacturer masquerading material measures mechanism mechanisms media memory messenger mid middle mississippi mitigate mitre mod model modification modified modify module monitoring months more most motivated moved multinational multiple naics name named necessary needed needs net network networks new newer news not number obfuscated obfuscation observed october off offer official often one online only operates operating operation operations ord order organizations originally other outside over owners paid palo panda password passwords past payload: performs periods permissions phishing place plan platform plugx plus point policies politically pop |
| Tags | Ransomware Malware Tool Threat |
| Stories | APT 27 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.