One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 8295338 |
| Date de publication | 2022-12-20 20:46:00 (vue: 2022-12-27 21:08:00) |
| Titre | Anomali Cyber Watch: APT5 Exploited Citrix Zero-Days, Azov Data Wiper Features Advanced Anti-Analysis Techniques, Inception APT Targets Russia-Controlled Territories, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, Belarus, China, Data wiping, Russia, Ukraine and Zero-days. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
APT5: Citrix ADC Threat Hunting Guidance
(published: December 13, 2022)
On December 13, 2022, the US National Security Agency published a report on the ongoing exploitation of Citrix products. Citrix confirmed that this critical remote code execution vulnerability (CVE-2022-27518, CTX474995) affects Citrix Application Delivery Controller™ (Citrix ADC) and Citrix Gateway versions: 12.1 and 13.0 before 13.0-58.32. Active exploitation of the CVE-2022-27518 zero-day was attributed to China-sponsored APT5 (Keyhole Panda, Manganese, UNC2630) and its custom Tricklancer malware.
Analyst Comment: All customers using the affected builds are urged to install the current build or upgrade to the newest version (13.1 or newer) immediately. Anomali Platform has YARA signatures for the Tricklancer malware, network defenders are encouraged to follow additional NSA hunting suggestions (LINK). Check md5 hashes for key executables of the Citrix ADC appliance. Analyze your off-device logs: look for gaps and mismatches in logs, unauthorized modification of user permissions, unauthorized modifications to the crontab, and other known signs of APT5’s activities.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190
Tags: actor:APT5, actor:UNC2630, actor:Manganese, actor:Keyhole Panda, CVE-2022-27518, CTX474995, Citrix ADC, Citrix Gateway, Zero-day, China, source-country:CN
Linux Cryptocurrency Mining Attacks Enhanced via CHAOS RAT
(published: December 12, 2022)
In November 2022, a new cryptojacking campaign was detected by Trend Micro researchers. Unlike previously-recorded campaigns that aim at installing a cryptomining software, this one is utilizing a remote access trojan (RAT): a Linux-targeting version of the open-source Chaos RAT. This Go-based RAT is multi-functional and has the ability to download additional files, run a reverse shell, and take screenshots.
Analyst Comment: Implement timely patching and updating to your systems. Monitor for a sudden increase in resource utilization, track open ports, and check the usage of and changes made to DNS routing.
MITRE ATT&CK: [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Network Service Scanning - T1046 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Remote Access Tools - T12 |
| Envoyé | Oui |
| Condensat | /store/packages/vmtools 000 2007 2013 2014 2019 2020 2022 27518 3992 5544 ability abuse access account actions active activities activity actor:apt5 actor:cloud actor:keyhole actor:manganese actor:unc2630 actors adc added addition additional advanced affected affects after agency aim all allocation allows already amid analysis analyst analyze anomali anti api appears appliance application apt apt5 apt5’s apt5: archive are areas assembly associated atlas att&ck att&ck: attached attack attacks attributed automated autostart aware azov backdoor backdoored backdooring backdoors based been before being belarus between binaries bloat boot breakpoints build builds bulletproof but call called campaign campaigns can capture caused changes channel chaos chaosrat charts check checkpoint china citrix client cloud code collected collection command commands comment: commonly communication company concern confidence confirmed confusion constants continue continued controlled controller™ copyright country:by country:cn country:ru cracked crafted credential critical crontab cryptocurrency cryptojacking cryptomining ctx474995 current curtains custom customers cve cyber cyberespionage data date day days december defenders deliver delivers delivery denial deobfuscate/decode despite destruction detected detection:azov detection:chaos detection:powershower detection:rtcpproxy detection:smokeloader detection:trojan device discovery discuss discussed disk distribution dll dns documented download downloads drive employees enables encoded encouraged encrypted endpoint enhanced entities escalation esxi esxi’s evasion executable executables execution exfiltration exploit exploitation exploited external facing fake false features figure file files find first flag follow following form from functional gaps gateway glimpse golang group group:inception groups guidance had has hashes have heavily hijacking homebrew hosting hunting iat immediately implement implemented inception inception’s include increase independently individuals industry:diplomatic industry:energy industry:government industry:technology infection information ingress injecting injection install installing instances intelligence inter interpreter intrusion involved ioc iocs iteration its json juniper junk keep key keyhole known launching layer least legitimate likely link linux local logon logs logs: long look made magazine maintained malicious malware manganese manipulation manually masquerading may md5 media medium method micro military mimicking mining mismatches mitre modification modifications modified moldova monero monitor more multi multiple name named national network new newer newest newly news not note notes november nsa number obfuscated occupied october off often one ongoing opaque open opendrive openslp operations order original other over panda password pastebin patches patching payloads permissions persistent phishing pirated planted platform point polish polymorphic port port:427 port:8307 ports positive potential powershell powershower preceded predicates preferable preventing previously probably process products profiled protected protocol provide proxy public published published: pulling python ram ransom ransomware ransomware: rat reapplied reboot receives recorded redoctober references region:crimea region:donetsk region:luhansk region:transnistria related relaying remain remains remote removable report researchers resource restored restricted return reverse routines routing rtcpproxy run russia saved scanning scheduled screen screenshots scripting security self servers service services several shared shell shellcodes should shutdown/reboot sides signatures signs since skidsware smokeloader software some source spearphishing sponsored starts statement stealing stores stories such sudden suffering suggestions summarize summary syntactic system systems t1005 t1025 t1027 t1039 t1041 t1043 t1046 t1053 t1059 t1071 t1087 t1090 t1102 t1105 t1113 t1119 t1133 t1140 t1190 t1203 t1204 t1219 t1221 t1485 t1496 t1497 t1499 t1529 t1547 t1559 t1560 |
| Tags | Malware Tool Vulnerability Threat Patching Prediction |
| Stories | APT 5 |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.