One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 8297872 |
| Date de publication | 2023-01-04 16:30:00 (vue: 2023-01-04 17:07:49) |
| Titre | Anomali Cyber Watch: Machine Learning Toolkit Targeted by Dependency Confusion, Multiple Campaigns Hide in Google Ads, Lazarus Group Experiments with Bypassing Mark-of-the-Web |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, Data breaches, North Korea, Phishing, and Typosquatting. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
PyTorch Discloses Malicious Dependency Chain Compromise Over Holidays
(published: January 1, 2023)
Between December 25th and December 30th, 2022, users who installed PyTorch-nightly were targeted by a malicious library. The malicious torchtriton dependency on PyPI uses the dependency confusion attack by having the same name as the legitimate one on the PyTorch repository (PyPI takes precedence unless excluded). The actor behind the malicious library claims that it was part of ethical research and that he alerted some affected companies via HackerOne programs (Facebook was allegedly alerted). At the same time the library’s features are more aligned with being a malware than a research project. The code is obfuscated, it employs anti-VM techniques and doesn’t stop at fingerprinting. It exfiltrates passwords, certain files, and the history of Terminal commands. Stolen data is sent to the C2 domain via encrypted DNS queries using the wheezy[.]io DNS server.
Analyst Comment: The presence of the malicious torchtriton binary can be detected, and it should be uninstalled. PyTorch team has renamed the 'torchtriton' library to 'pytorch-triton' and reserved the name on PyPI to prevent similar attacks. Opensource repositories and apps are a valuable asset for many organizations but adoption of these must be security risk assessed, appropriately mitigated and then monitored to ensure ongoing integrity.
MITRE ATT&CK: [MITRE ATT&CK] T1195.001 - Supply Chain Compromise: Compromise Software Dependencies And Development Tools | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | [MITRE ATT&CK] T1003.008 - OS Credential Dumping: /Etc/Passwd And /Etc/Shadow | [MITRE ATT&CK] T1041 - Exfiltration Over C2 Channel
Tags: Dependency confusion, Dependency chain compromise, PyPI, PyTorch, torchtriton, Facebook, Meta AI, Exfiltration over DNS, Linux
Linux Backdoor Malware Infects WordPress-Based Websites
(published: December 30, 2022)
Doctor Web researchers have discovered a new Linux backdoor that attacks websites based on the WordPress content management system. The latest version of the backdoor exploits 30 vulnerabilities in outdated versions of WordPress add-ons (plugins and themes). The exploited website pages are injected with a malicious JavaScript that intercepts all users clicks on the infected page to cause a malicious redirect.
Analyst Comment: Owners of WordPress-based websites should keep all the components of the platform up-to-date, including third-party add-ons and themes. Use |
| Envoyé | Oui |
| Condensat | “+400 /etc/passwd /etc/shadow 001 002 003 005 007 008 011 2021 2022 2023 25th 30th 400 500mb able above abuse abused abusing accessing account accounts accurate acquires across activity actor actor:bluenoroff actor:vermux actors add additional addressed addresses admits: admitted adopt adoption ads advised affected after agent alerted alias aligned all all… allegedly also always analyst anomali anti any api application applications appropriately apps apt are around arsenal assessed asset associated att&ck att&ck: attached attachment attachments attack attacker attackers attacks attempts august autostart available awareness backdoor backdoors backup based basic batch because been before behind being better between billing binaries binary blind bloat bloating block bluenoroff boot brands breach breaches brute bundle business but bypass bypassing campaigns can canada case cause caution cdn certain chain challenging change changing channel charts check checks claim claims clicking clicks code command commands comment: companies company complexity component components compromise compromise: concentrates confusion considered content controls: convincing copy country:ca country:jp country:kp country:ru country:us create credential credentials crooks crypto cryptocurrency cryptominers customer customers customers’ cyber daily data date deanonymization december decoy default delivering delivery dependencies dependency deployed detected detection:linux detection:raccoon detection:trickortreat detection:vidar develop development devicecredentialdeployment did digital diligence discloses discord’s discovered discovery discuss discussed dll dns doctor document doesn’t domain domains don’t double download driver drives dropbox dubbed dumping: each easier edged education email emails employs encrypted end engineering engines ensure equal especially etc ethical european evades evasion: every excluded executable execution execution: exfiltrated exfiltrates exfiltration experiments explained exploit exploited exploits exposes extra extreme face facebook facing features figure file files finally financial financially fines fingerprinting fixing flag flow follow following force forwarding from gclid gdpr general geo get github give glimpse google google’s got gpu gpus group group:lazarus hackerone handled harassment has have having hidden hide hiding high hijacking history holidays hosting hundreds identifier image included includes including indicators industries industry:cryptocurrency industry:financial infected infects information information: infrastructure ingress initial injected injection injection: inside installed integrity intelligence intercepts interpreter: introduces inventory ioc iocs iso iteration its january japan javascript keep key kinds known korea land lastpass late latest layer lazarus learning legitimate leverage library library’s like likely link linux living located location logon logs lolbins lsass machine magazine mainly maintain maintaining makes malicious malware management many mark masquerads massively master message meta methods might million misspelled mitigated mitre modified monitor monitored monitoring more moreover most mostly motivated motw msiexec multiple must name names network new news nightly north not number numbers obfuscated occur off one ones ongoing ons opensource organization’s organizations other outdated over owners packing page pages paid part party password passwords patching payloads people phishing phishing: phone picus: platform plugins politicians popular portable possible potential precedence premium prepare preparing presence prevent previously prior privacy private proactively proceed process profile profiling programs project promoted promotional protect protection protective protocol: protocols provide provides proxy public published: push pypi pytorch queries raise ransom recently recognizing redirect redirects regulation regulations related remains renamed repositories repository reputable research researchers reser |
| Tags | Malware Tool Vulnerability Threat Patching Medical |
| Stories | APT 38 LastPass |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.