One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 7673563 |
| Date de publication | 2022-10-25 16:53:00 (vue: 2022-10-25 17:09:18) |
| Titre | Anomali Cyber Watch: Daixin Team Ransoms Healthcare Sector, Earth Berberoka Breaches Casinos for Data, Windows Affected by Bring-Your-Own-Vulnerable-Driver Attacks, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, DDoS, Infostealers, Iran, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Alert (AA22-294A) #StopRansomware: Daixin Team
(published: October 21, 2022)
Daixin Team is a double-extortion ransomware group that has been targeting US businesses, predominantly in the healthcare sector. Since June 2022, Daixin Team has been encrypting electronic health record services, diagnostics services, imaging services, and intranet services. The group has exfiltrated personal identifiable information and patient health information. Typical intrusion starts with initial access through virtual private network (VPN) servers gained by exploitation or valid credentials derived from prior phishing. They use SSH and RDP for lateral movement and target VMware ESXi systems with ransomware based on leaked Babuk Locker source code.
Analyst Comment: Network defenders should keep organization’s VPN servers up-to-date on security updates. Enable multifactor authentication (MFA) on your VPN server and other critical accounts (administrative, backup-related, and webmail). Restrict the use of RDP, SSH, Telnet, virtual desktop and similar services in your environment.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Remote Service Session Hijacking - T1563 | [MITRE ATT&CK] Use Alternate Authentication Material - T1550 | [MITRE ATT&CK] Exfiltration Over Web Service - T1567 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: actor:Daixin Team, malware-type:Ransomware, PHI, SSH, RDP, Rclone, Ngrok, target-sector:Health Care NAICS 62, ESXi, VMware, Windows
Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool
(published: October 21, 2022)
Symantec detected a new custom data exfiltration tool used in a number of BlackByte ransomware attacks. This infostealer, dubbed Exbyte, performs anti-sandbox checks and proceeds to exfiltrate selected file types to a hardcoded Mega account. BlackByte ransomware-as-a-service operations were first uncovered in February 2022. The group’s recent attacks start with exploiting public-facing vulnerabilities of ProxyShell and ProxyLogon families. BlackByte removes Kernel Notify Routines to bypass Endpoint Detection and Response (EDR) products. The group uses AdFind, AnyDesk, Exbyte, NetScan, and PowerView tools and deploys BlackByte 2.0 ransomware payload.
Analyst Comment: It is crucial that your company ensures that servers are |
| Envoyé | Oui |
| Condensat | #stopransomware: 000 15658 2016 2019 2021 2022 26855 27065 294a 31207 34473 34523 713 aa22 able about abused access accessible according account accounts active activity actor actor:apt actor:blackbyte actor:daixin actor:diceyf actor:domestic actor:hecamede actor:killnet actors added additional additionally adfind administrative admitted aerospace affected affiliated afterburner against agent alert allows alternate always analyst android announced anomali another anti anydesk app application applications apps apt are asia asking aspires att&ck att&ck: attached attack attackers attacks attributed attribution authentication avast avoids avoslocker babuk backup bare based basic basis been belonging below below: berberoka beyond blackbyte blamed blocklist blunder branch brand breaches bring bulgaria bulgarian business businesses but byovd bypass called campaign can capture card care case casino casinos cause certificate chain changed channel charts cheat check checks china citizens city class clipboard code comment: company components compromise conduct configurations consider constitutional contact contacts continuity coordination copies core countries country:bg country:cn country:ir country:ru court created creating credential credentials credit critical crucial current custom customers cve cyber cyberattack cyberespionage daixin data date ddos decommissioned defenders defense dell denial deploy deployed deploys deprecated depth derived desktop detected detection detection:android/spy detection:avoslocker detection:blackbyte detection:furball detection:gameplayerframework detection:infostealer detection:puppetloader detection:ransom development device diagnostics diceyf digital disabling discover discuss discussed displays distributed dlls domestic double downloader drbcontrol driver drivers drop dubbed dumping duplicating duty earth easier edr electronic enable encrypted encrypting endpoint ensures environment environments error escalation eset esxi evasion event evolving example exbyte exbyte: execute execution exfil exfiltrate exfiltrated exfiltration exploit exploitation exploited exploiting external extortion facing failsafe fake families february figure file files finally first following formed found founder framework fraud from functionality functions fundraising furball future gained game gameplayerframework genshin get glimpse google government group group’s group:lazarus groups grow growing hacking hacktivism hacktivist hacktivists hardcoded has have health healthcare high hijacking hire hit hong hooks hostile how identifiable identified imaging impact impersonating implement include included includes including industry:gambling information infostealer infostealers initial injection install installed intelligence interior interruptions intranet intrusion invited ioc iocs iran iranian issue iteration its june just justice kaspersky keep kernel kidlogger killmilk killnet killnet’s kitten known kong korea lack large lateral latest layered lazarus leaked leaks legitimate limited list listed loading locker logo logs loosely low magazine magnitogorsk makes malicious malware mango manipulation march masquerading material may measures mechanisms media mega messenger method methods mfa micro microsoft military millions minimum: ministry mitre mobile mode module monetization monitor monitoring more most moved movement msi much multifactor naics name names needed needs netscan network new news ngrok north not notify november number obfuscation observed obtain october office official one online only opened operation operations order organization’s organizations originally other over own part password paths patient payload pcs performed performs persistence personal personnel phi phishing place plan platform play plugins policies potent potential potentially powerview practice predominantly premium presence present president’s prior private privilege problem proceeds process products profile profiles proper protection provide provided proxylogon proxyshell public publish published: puppetloade |
| Tags | Threat Ransomware Malware Tool Vulnerability Medical |
| Stories | APT 38 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.