One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 7890921 |
| Date de publication | 2022-11-08 16:00:00 (vue: 2022-11-08 16:08:00) |
| Titre | Anomali Cyber Watch: Active Probing Revealed Cobalt Strike C2s, Black Basta Ransomware Connected to FIN7, Robin Banks Phishing-as-a-Service Became Stealthier, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Active scanning, EDR evasion, Infostealers, Phishing, and Typosquatting. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Cobalt Strike Analysis and Tutorial: Identifying Beacon Team Servers in the Wild
(published: November 3, 2022)
Cobalt Strike remains a popular post-exploitation tool for threat actors trying to evade threat detection. Cobalt Strike’s Beacons use advanced, flexible command-and-control (C2) communication profiles for stealth communication with an attacker-controlled Linux application called Team Server. Beacon implants can covertly utilize the DNS protocol or communicate via HTTP/HTTPs using the the default Malleable C2 profile or Malleable C2 Gmail profile. Palo Alto researchers probed the Internet for these three types of communication to find previously-unknown active Team Server instances. Researchers were preselecting suspicious IP addresses with Shodan, actively probing them with stager requests and initializing a connection with the netcat tool to test, verify and extract communication profile settings (such as the served stager bytes).
Analyst Comment: Network fingerprinting and active scanning technologies allow for proactive identification of threats such as Cobalt Strike’s C2 IP addresses. Network defenders and intelligence feed providers can get better coverage by improving their collaboration and coverage via threat intelligence platforms such as ThreatStream provided by Anomali.
MITRE ATT&CK: [MITRE ATT&CK] Application Layer Protocol - T1071
Tags: detection:Cobalt Strike Beacon, detection:Cobalt Strike, detection:Cobalt Strike Team Server, Cobalt Strike stager, Active scanning, Shodan, netcat, Post-exploitation tool, Gmail, DNS, TCP, HTTP, Windows
Abusing Microsoft Customer Voice to Send Phishing Links
(published: November 3, 2022)
Avanan researchers detected a phishing campaign that abuses Microsoft Dynamics 365 Customer Voice since at least September 2022. These phishing emails come from legitimate email address surveys@email.formspro.microsoft.com, and clicking the link opens the Microsoft’s Customer Voice domain on a page with URL starting with: customervoice.microsoft.com/Pages/ResponsePage.aspx?id=... At the same time, a user clicking on the embedded “Play Voicemail” link redirects to an attacker-controlled phishing page asking for Microsoft account login credentials.
Analyst Comment: Organizations can use services like Anomali Digital Risk Protection, which defends your brand against brand abuse and continuously monitors domains for cybersquatters and domain hijacking to prevent phishing and malware attacks. Users are advised to always check the current domain by hovering over the URL, especially before entering credentials.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566
Tags: Customer Voice, Phishing, Microsoft, Forms Pro
Black Basta Ransomware |
| Envoyé | Oui |
| Condensat | “play 1472 2020 2021 2022 2fa 34527 365 42278 42287 able abuse abuses abusing access account accounts across active actively activity actor actor:black actor:carbanak actor:crimson actor:fin7 actors acts address addresses adfind ads adspect advanced advertisement advised against agencies all alleged allow also alto always analysis analyst analysts anomali appearance application april are artificial asked asking aspx att&ck att&ck: attached attack attacker attacks australia authored available avanan backup bank banks basic basing basta beacon beacons bec became been before behind benign better binary black blacklisted blind bot brand brave breached browser business but bypass bytes c2s called campaign can carbanak charts check click clicking clicks clients cloaker cloudflare cobalt code collaboration collection com com/pages/responsepage come command comment: commodity communicate communication company compiled compromise connected connection consider continuously control controlled cookie copies country:au country:uk country:us coverage covertly craft creation credentials crimson current custom customer customervoice cve cyber cybersquatters data ddos debt decisions deep default defenders defends defense defenses deobfuscate/decode deploy described despite detected detection detection:adspect detection:black detection:cobalt detection:robin detection:vidar developer devices different digital directly discovered discuss discussed display disrupted dns does domain domains downloading dubbed dynamics editor edr email emails embedded employees encrypted encrypting endpoint enter entering entry especially evade evasion evilginx2 evolving exclusively executable execution executive exploit exploitation extract facing fake feed figure file files filter fin7 financial find finding fingerprinting firms first flexible follow followed following forms formspro forwarding found fraud from fundamental get gilimp gimp glimpse gmail gnu google graphics group groups guard gui has have having helps hijacking hovering http http/https icon id= identification identify identifying image impact impair impersonates impersonating impersonation implants improving including industry:debt industry:law info information infostealer infostealers ingress initializing instances instead intelligence international internet invoice invoices ioc iocs ironnet iteration its july june kingsnake kingsnake: known labs latest law layer least legitimate like limiting line link links linux location login logs lookalike loss magazine make making malicious malleable malvertising malware manageable manager manipulation mfa microsoft microsoft’s might mitre monitors monster more most netcat network news nopac not notepad++ notorious november obfuscated obfuscator october off official often one ones open opens org organizations other over overlapping own packed padding page palo part partners party password payment personal phaas phishing php place places platform platforms point popular possibly post potential premium preselecting prevent previously printnightmare private pro proactive proactively probed probing process processes products profile profiles program proper protection protocol provide provided provider providers proxy public published: ransomware recently recommended redirects registered related remains requesting requests require research researchers resolve response rest returned revealed reverse risk robbing robin rule: russia russian same scanning secure security segmentation send sense sensitive sent sentinel september served server servers service services session settings shodan should showing similar since site sms software source specific stager started starting starts status steal stealer stealing stealth stealthier stolen storage stored stores stories strike strike’s studio such summarize summary surveys@email suspicious system t1027 t1071 t1090 t1105 t1140 t1190 t1204 t1486 t1539 t1555 t1562 t1566 tactics tags: target targeted targeting tcp team techniques technologies test them then these third threat threats threatstr |
| Tags | Ransomware Malware Tool Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.